(trufflesecurity.com)

199 points elza_1111 | 3 comments | 03 Jul 25 06:44 UTC | HN request time: 0.245s | source

Show context

v3ss0n ◴[03 Jul 25 07:39 UTC] No.44452592[source]▶

Daily reminder:

- Once it is on the internet - it is always there so Rotate the key/secrets FIRST.

- Never think secrets are gone because of you have recommited .

- Deleting a commit is not enough , use BFG Cleaner - https://rtyley.github.io/bfg-repo-cleaner/ , and force commit to change history.

Edit- Forget to add most important thing - rotating the key.

replies(3): >>44452614 #>>44452660 #>>44452676 #

hnlmorg ◴[03 Jul 25 07:42 UTC] No.44452614[source]▶

>>44452592 #

The problem here is that GitHub keeps the ref logs even for commits that no longer exist.

I don’t see how BFG helps here

replies(1): >>44453295 #

1. v3ss0n ◴[03 Jul 25 09:37 UTC] No.44453295[source]▶

>>44452614 #

it rewrites the history. Isn't that really enough? You can remove all the keys from the git history. and I agree , i forget the point about rotating the key which i do always in first .

replies(2): >>44453408 #>>44456010 #

2. Timwi ◴[03 Jul 25 10:04 UTC] No.44453408[source]▶

>>44453295 (TP) #

It might remove it from your local repo, but not from GitHub, that's the point.

3. hnlmorg ◴[03 Jul 25 15:24 UTC] No.44456010[source]▶

>>44453295 (TP) #

No it’s not enough. Read the article and it will explain why.

Also, if you’re going to rotate your secrets (which you absolutely should do regardless) then everything else is pointless because it’s now just an invalid credential.

↑

I scanned all of GitHub's "oops commits" for leaked secrets