(trufflesecurity.com)

199 points elza_1111 | 1 comments | 03 Jul 25 06:44 UTC | HN request time: 0.206s | source

Show context

v3ss0n ◴[03 Jul 25 07:39 UTC] No.44452592[source]▶

Daily reminder:

- Once it is on the internet - it is always there so Rotate the key/secrets FIRST.

- Never think secrets are gone because of you have recommited .

- Deleting a commit is not enough , use BFG Cleaner - https://rtyley.github.io/bfg-repo-cleaner/ , and force commit to change history.

Edit- Forget to add most important thing - rotating the key.

replies(3): >>44452614 #>>44452660 #>>44452676 #

hnlmorg ◴[03 Jul 25 07:42 UTC] No.44452614[source]▶

>>44452592 #

The problem here is that GitHub keeps the ref logs even for commits that no longer exist.

I don’t see how BFG helps here

replies(1): >>44453295 #

v3ss0n ◴[03 Jul 25 09:37 UTC] No.44453295[source]▶

>>44452614 #

it rewrites the history. Isn't that really enough? You can remove all the keys from the git history. and I agree , i forget the point about rotating the key which i do always in first .

replies(2): >>44453408 #>>44456010 #

1. Timwi ◴[03 Jul 25 10:04 UTC] No.44453408[source]▶

>>44453295 #

It might remove it from your local repo, but not from GitHub, that's the point.

↑

I scanned all of GitHub's "oops commits" for leaked secrets