ANTIGRAVITY LABJP
Articles/Agents & Manager
Agents & Manager/2026-06-02Advanced

Keeping Secrets Out of Your Antigravity Agent's Output: Layered Defenses for Logs, Diffs, and PR Bodies

The three paths through which background agents leak secrets, and how to defend commit diffs, execution logs, and PR bodies with layered protection, drawn from running six apps and measured false-positive rates.

Antigravity338AI Agents14Security9Secrets ManagementCI/CD17

Premium Article

One night, while a background agent was handling update work across six of my apps, I noticed that the generated pull request description contained what looked like a Firebase server key. Trying to write a thorough crash-reproduction guide, the agent had pasted the raw contents of an environment variable for debugging. It was a private repository and nothing was published, but the thought of what would have happened with auto-merge enabled sent a chill down my spine.

I'm Masaki Hirokawa. I've been building apps on my own since 2014, mostly wallpaper, relaxation, and manifestation apps, and they have accumulated somewhere around 50 million downloads. Lately I've been handing more of my iOS and Android update work to Antigravity's agents, and I keep noticing that agents will casually cross secret-handling lines that a human would instinctively avoid, depending on the context. Here I want to break down the paths by which secrets escape through an agent's output into three, and share how I close each one, along with numbers I measured in actual operation.

The Three Exits Where Agents Leak Secrets

When people think about secrets management, attention tends to go to where secrets are stored. But in the age of agents, the truly dangerous part is not the storage location, it's the exit. Even if you've removed .env from Git and moved it into a Secret Manager, none of that matters if the agent reads those values at runtime and writes them out somewhere else.

The leak exits I observed sort into three:

  1. Leaking into commit diffs. The agent includes a debug scratch file or a config snapshot directly in a commit.
  2. Leaking into execution logs and audit trails. The agent dumps environment variables, or pipes an entire API response into a log. The more carefully you design your system to retain audit logs, the higher the risk that a plaintext key gets persisted there.
  3. Leaking into PR bodies and chat responses. This is the incident I opened with. The agent quotes a value "for the sake of explanation," and it's the hardest path to notice.

These three differ in nature, so no single countermeasure closes all of them. You stop the diff before the commit, redact the log while letting it flow, and run a final check on PRs and chat right before they go public. You need to think in layers.

Exit 1: Commit Diffs, Stopped at pre-commit

The first line of defense is the commit. Before the agent runs git commit, scan the staged diff and reject anything that looks like a key. I use a hook based on gitleaks, with patterns specific to my app business added on top.

Let's start with the approach that doesn't work. A hook like the following, which only looks at the commit message, lets the actual diff contents sail right through.

# Anti-pattern: inspects only the message, never the diff body
#!/usr/bin/env bash
msg=$(cat "$1")
if echo "$msg" | grep -qi "secret"; then
  echo "Commit message contains the word secret"
  exit 1
fi
exit 0

What you actually want to protect is the staged diff. The following passes the contents of git diff --cached to gitleaks.

#!/usr/bin/env bash
# .git/hooks/pre-commit — inspect only the staged diff
set -euo pipefail
 
# Run gitleaks in diff mode if available
if command -v gitleaks >/dev/null 2>&1; then
  if ! gitleaks protect --staged --redact --config .gitleaks.toml; then
    echo "Secret-like string detected in the staged diff"
    echo "Run git restore --staged <file>, then re-commit"
    exit 1
  fi
fi
 
# Secondary check via local patterns (fallback when gitleaks is absent)
diff=$(git diff --cached -U0 | grep '^+' || true)
patterns=(
  'AKIA[0-9A-Z]{16}'                 # AWS access key id
  'AIza[0-9A-Za-z_-]{35}'            # Google API key
  'gh[pousr]_[0-9A-Za-z]{36}'        # GitHub token
  'sk_live_[0-9A-Za-z]{24,}'         # Stripe live secret
)
for p in "${patterns[@]}"; do
  if echo "$diff" | grep -Eq "$p"; then
    echo "Key pattern /$p/ matched in the staged diff"
    exit 1
  fi
done
exit 0

The crucial part is --staged (in gitleaks, protect --staged). Scanning the entire repository history on every commit takes tens of seconds even on a small indie-developer machine, but scanning only the staged diff finishes in under a second on any of my six app repos. When you embed this in an agent's work loop, that speed is the practical dividing line.

In .gitleaks.toml, I declare the kinds of keys my app business actually uses, both as rules and as allowlist entries. Unless you exclude values that "look like keys but are safe to publish," such as an AdMob app ID, you'll be plagued by the false positives I describe later.

Thank you for reading this far.

Continue Reading

What follows includes implementation code, benchmarks, and practical content we hope you'll find useful. This site runs without ads — server and development costs are supported entirely by members like you. If it's been helpful, we'd be truly grateful for your support.

WHAT YOU'LL LEARN
A layered design that defends three distinct leak paths separately: commit diffs, execution logs, and PR bodies
Working implementation code for a pre-commit hook and CI guard (gitleaks integration, regex, entropy handling)
Measured false-positive rates from running six apps, and the allowlist tuning that cut them from 12% to 0.4%
Secure payment via Stripe · Cancel anytime

Unlock This Article

Get full access to the rest of this article. Buy once, read anytime. This site is ad-free — your support goes directly toward keeping it running.

or
Unlock all articles with Membership →
Share

Thank You for Reading

Antigravity Lab is ad-free, supported entirely by members like you. We publish practical guides daily with implementation code, benchmarks, and production-ready patterns. If you've found it useful, we'd love to have you on board.

  • Copy-paste ready implementation code
  • New advanced guides published daily
  • $5/mo or $10 for lifetime access
View Membership →

Related Articles

Agents & Manager2026-06-24
Before a Stray Instruction in a Fetched Page Drives Your Unattended Agent — Tainting Inputs to Downgrade Capabilities
So an unattended agent that reads external pages or PDFs can't be hijacked by an instruction hidden inside them: track the taint of every input and automatically downgrade side-effecting tools. With working Python and real operational numbers.
Agents & Manager2026-07-13
Passing API Keys to Agents Safely: Runtime Env Injection and Log Redaction
How to hand secrets to an Antigravity agent without leaving them in your repo or your logs, using runtime environment injection and output masking.
Agents & Manager2026-05-06
Giving AI Agents an Aesthetic Sense — Building a UI Quality Evaluation Pipeline with Antigravity × Gemini Vision
Explore how to encode the vague judgment of 'is this UI good or bad' into code. Combines Antigravity with Gemini Vision to implement a complete pipeline — from screenshot capture to AI evaluation, improvement suggestions, automated fixes, and CI/CD integration.
📚RECOMMENDED BOOKS
Build a Large Language Model (From Scratch)
Sebastian Raschka
LLM Dev
Prompt Engineering for LLMs
Berryman & Ziegler
Prompting
AI Engineering
Chip Huyen
AI Eng
* Contains affiliate links
See all →