Most active commenters
  • cess11(3)

←back to thread

I scanned all of GitHub's "oops commits" for leaked secrets

(trufflesecurity.com)
199 points elza_1111 | 16 comments | 03 Jul 25 06:44 UTC | HN request time: 0.834s | source | bottom
1. UnreachableCode ◴[03 Jul 25 07:54 UTC] No.44452675[source]
What I've never understood is, how is this an issue with private repos? Aside from open source projects I can't see the problem with accidentally doing this, even though it is a smell.
replies(5): >>44452714 #>>44452733 #>>44452828 #>>44453249 #>>44453819 #
2. cess11 ◴[03 Jul 25 08:01 UTC] No.44452714[source]
It's called private but actually shared with a very large corporation you don't control, likely running on infrastructure they don't control. Due to the CLOUD Act it's also shared with the US government.
replies(2): >>44452908 #>>44452931 #
3. froobius ◴[03 Jul 25 08:03 UTC] No.44452733[source]
It's a bad idea...

- commit secret in currently private repo

- 3 years later share / make public

- forget the secret is in the commit history, and still valid, (and relatedly, having long-lived secrets is less secure)

Sure that might not happen for you, but the chances increase dramatically if you make a habit of commiting secrets.

replies(1): >>44452826 #
4. yard2010 ◴[03 Jul 25 08:18 UTC] No.44452826[source]
In a large messaging app I worked for we self hosted a gitlab instance for this exact reason. I thought it was over the top but now I get it, you can never be too sure.
replies(1): >>44455176 #
5. dspillett ◴[03 Jul 25 08:18 UTC] No.44452828[source]
Anything that makes the repo less private later (deliberate public release, hack (not just if the repo bit of anything that can connect to it), etc) means the secret is now in the open.

Always cycle credentials after an accident like committing them to source control. Do it immediately, you will forget later. Even if you are 100% sure the repo will never be more public, it is a good habit to form.

6. bapak ◴[03 Jul 25 08:35 UTC] No.44452908[source]
Secrets gotta live somewhere. Are you supplying them every time you deploy or run CI?
replies(3): >>44453051 #>>44453088 #>>44455627 #
7. Cthulhu_ ◴[03 Jul 25 08:39 UTC] No.44452931[source]
Exactly; you should fully expect the NSA to have a copy of these logs as well. It can be very valuable to have secret keys from companies in adversarial countries (including your own).

Example, there's an ICE reporting app now where people can anonymously report ICE sightings... but how anonymous is it really? Users report a location, that can be cross-referenced with location histories and quicky led back to an individual. There may be retaliation to users of this app if the spiral into authoritarianism in the US continues.

replies(1): >>44453113 #
8. larntz ◴[03 Jul 25 09:00 UTC] No.44453051{3}[source]
Yes. Either via a secret manager (eg vault) or configured as repo secrets if that kind of infra isn't available.

https://docs.github.com/en/actions/how-tos/security-for-gith...

Never commit secrets for any reason.

replies(1): >>44454878 #
9. cess11 ◴[03 Jul 25 09:08 UTC] No.44453088{3}[source]
I'm not telling you what you should or should not do, especially not in the abstract. I commented on the deceptive terminology employed by a very large corporation with deep connections to rather distasteful activities and organisations.
10. cess11 ◴[03 Jul 25 09:12 UTC] No.44453113{3}[source]
Right, so, some activists and freedom fighters have been doing stuff in environments they know to be hostile for a long time, while the US has just started growing some movements like that after a hiatus from sometime in the seventies and eighties until somewhat recently.

For now they're going to be making a lot of basic mistakes but eventually they'll grugq up and learn from people that are already used to dealing with the violence of their government.

11. lqet ◴[03 Jul 25 09:32 UTC] No.44453249[source]
Many years ago at my first job after university, I accidentally committed a private key into our internal Git repository. We removed it, because we could not completely rule out the possibility that this repository would be made public to a customer, or to the world, in the future. I think we used filter-repo to get the key out of everywhere.
12. Thorrez ◴[03 Jul 25 11:12 UTC] No.44453819[source]
Different employees in the company have different permissions. If an employee with a lot of access commits a secret, then employees who shouldn't have that much access can take the secret and use it.
13. bapak ◴[03 Jul 25 13:31 UTC] No.44454878{4}[source]
Repo secrets are just stored on someone's computer and they obviously have the keys. This is what I mean.

Same for your vault. The vault might be encrypted, but at some point you have to give the keys to the vault.

Your secrets are not safe from someone if someone needs them to run your code.

replies(1): >>44455297 #
14. ◴[03 Jul 25 14:00 UTC] No.44455176{3}[source]
15. larntz ◴[03 Jul 25 14:14 UTC] No.44455297{5}[source]
> Your secrets are not safe from someone if someone needs them to run your code.

This is true. I don't disagree with that or you're assessment of repo secrets.

My comment was in the context of the grandparent committing secrets to a private repo which is a bad practice (regardless of visibility). You could do that for tests, sure (I would suggestion creating random secrets for each test when you can), but then you're creating a bad habit. If you can't use random secrets for tests repo secrets would be acceptable, but I wouldn't use them beyond that.

For CI and deploys I would opt for some kind of secret manager. CI can be run on your own infrastructure, secret managers can be run on your own infrastructure, etc...

But somewhere in the stack secret(s) will be exposed to _someone_.

16. UltraSane ◴[03 Jul 25 14:47 UTC] No.44455627{3}[source]
I like to encrypt secrets with a master secret stored in a TPM. This makes it impossible to accidentally leak the secret.