←back to thread

I scanned all of GitHub's "oops commits" for leaked secrets

(trufflesecurity.com)
199 points elza_1111 | 2 comments | 03 Jul 25 06:44 UTC | HN request time: 0.541s | source
Show context
oefrha ◴[03 Jul 25 08:02 UTC] No.44452722[source]
> GitHub keeps these dangling commits, from what we can tell, forever.

Not if you contact customer support and ask them to garbage collect your repo.

What I do when I accidentally push something I don’t want public:

- Force push;

- Immediately rotate if it’s something like a secret key;

- Contact customer support to gc the repo (and verify the commit is gone afterwards).

(Of course you should consider the damage done the moment you pushed it. The above steps are meant to minimize potential further damage.)

replies(2): >>44452835 #>>44453055 #
whyever ◴[03 Jul 25 08:19 UTC] No.44452835[source]
If you rotated the secret, why do anything else? I don't think there is any potential further damage (except maybe reputational).
replies(2): >>44452855 #>>44453123 #
oefrha ◴[03 Jul 25 09:13 UTC] No.44453123[source]
1. Not all secrets can be rotated. E.g. I can't just "rotate" my home address, which I prefer to be private.

2. Even for rotatable secrets, "I don't think there is any potential further damage" rests on the assumption that the secret is 100% invalidated everywhere. What if there are obscure and/or neglected systems, possibly outside of your control, that still accept that secret? No system is bug-free. If I can take steps to minimize access to an invalidated secret, I will.

replies(3): >>44453441 #>>44454036 #>>44460501 #
1. jofzar ◴[03 Jul 25 10:10 UTC] No.44453441[source]
> 1. Not all secrets can be rotated. E.g. I can't just "rotate" my home address, which I prefer to be private.

Reporter can sell their current house and move to another home as a workaround

Closing ticket as workaround provided.

replies(1): >>44455509 #
2. AppleBananaPie ◴[03 Jul 25 14:37 UTC] No.44455509[source]
Here's your promotion!

Thanks for being a great team player!