Code Room
System designHardsd-g481
Subject Secrets managementLevel Senior–Staff~45 minCommon in Security interviewsIndustries Technology

Question

Design the detection-and-automated-response pipeline for leaked secrets: developers occasionally commit API keys, DB passwords, and cloud credentials into git repos, CI logs, or public pastes. You operate the platform and want to detect a leaked secret within seconds of it being pushed and automatically contain it (revoke/rotate) before an attacker can use it — across millions of pushes/day and dozens of credential types. Discuss how you detect candidate secrets, how you verify a hit is a real live credential (vs a fake/example), how automated revocation works without breaking production, and the blast-radius / false-positive trade-offs of auto-revoking.

What a strong answer looks like

Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.

Narrate your design
Loading whiteboard…
Run or narrate your approach, then ask the coach.