←back to thread

I scanned all of GitHub's "oops commits" for leaked secrets

(trufflesecurity.com)
199 points elza_1111 | 1 comments | 03 Jul 25 06:44 UTC | HN request time: 0.21s | source
Show context
UnreachableCode ◴[03 Jul 25 07:54 UTC] No.44452675[source]
What I've never understood is, how is this an issue with private repos? Aside from open source projects I can't see the problem with accidentally doing this, even though it is a smell.
replies(5): >>44452714 #>>44452733 #>>44452828 #>>44453249 #>>44453819 #
froobius ◴[03 Jul 25 08:03 UTC] No.44452733[source]
It's a bad idea...

- commit secret in currently private repo

- 3 years later share / make public

- forget the secret is in the commit history, and still valid, (and relatedly, having long-lived secrets is less secure)

Sure that might not happen for you, but the chances increase dramatically if you make a habit of commiting secrets.

replies(1): >>44452826 #
yard2010 ◴[03 Jul 25 08:18 UTC] No.44452826[source]
In a large messaging app I worked for we self hosted a gitlab instance for this exact reason. I thought it was over the top but now I get it, you can never be too sure.
replies(1): >>44455176 #
1. ◴[03 Jul 25 14:00 UTC] No.44455176[source]