←back to thread

I scanned all of GitHub's "oops commits" for leaked secrets

(trufflesecurity.com)
199 points elza_1111 | 1 comments | 03 Jul 25 06:44 UTC | HN request time: 0s | source
Show context
UnreachableCode ◴[03 Jul 25 07:54 UTC] No.44452675[source]
What I've never understood is, how is this an issue with private repos? Aside from open source projects I can't see the problem with accidentally doing this, even though it is a smell.
replies(5): >>44452714 #>>44452733 #>>44452828 #>>44453249 #>>44453819 #
1. dspillett ◴[03 Jul 25 08:18 UTC] No.44452828[source]
Anything that makes the repo less private later (deliberate public release, hack (not just if the repo bit of anything that can connect to it), etc) means the secret is now in the open.

Always cycle credentials after an accident like committing them to source control. Do it immediately, you will forget later. Even if you are 100% sure the repo will never be more public, it is a good habit to form.