←back to thread

I scanned all of GitHub's "oops commits" for leaked secrets

(trufflesecurity.com)
199 points elza_1111 | 1 comments | 03 Jul 25 06:44 UTC | HN request time: 0s | source
Show context
UnreachableCode ◴[03 Jul 25 07:54 UTC] No.44452675[source]
What I've never understood is, how is this an issue with private repos? Aside from open source projects I can't see the problem with accidentally doing this, even though it is a smell.
replies(5): >>44452714 #>>44452733 #>>44452828 #>>44453249 #>>44453819 #
cess11 ◴[03 Jul 25 08:01 UTC] No.44452714[source]
It's called private but actually shared with a very large corporation you don't control, likely running on infrastructure they don't control. Due to the CLOUD Act it's also shared with the US government.
replies(2): >>44452908 #>>44452931 #
bapak ◴[03 Jul 25 08:35 UTC] No.44452908[source]
Secrets gotta live somewhere. Are you supplying them every time you deploy or run CI?
replies(3): >>44453051 #>>44453088 #>>44455627 #
1. cess11 ◴[03 Jul 25 09:08 UTC] No.44453088[source]
I'm not telling you what you should or should not do, especially not in the abstract. I commented on the deceptive terminology employed by a very large corporation with deep connections to rather distasteful activities and organisations.