Detecting and removing dangerous secrets on dev workstations

This post presents an open-source approach using Bagel (a workstation secret scanner) and Fleet (an osquery-based platform) to detect and manage plain-text secrets on developer machines. The author's proof-of-concept, "Fleebag," automates scanning via a macOS LaunchAgent, parses results with Fleet queries, and enforces compliance through policies. The goal is to prevent credential theft by infostealers, especially for developers with access to critical projects, and to complement existing endpoint security with proactive, automated detection and remediation.

https://recyclebin.zip/posts/2026-05-25-secret-scanning-fleet-bagel