Couple of days ago I conducted a small experiment WRT secrets commited to public git repositories. My plan was simple: (1) Generate a secret, (2) commit it to the public repository, and (3) see what happens. Thread time! 👉

BTW. For the secret I've chosen AWS key generated with @ThinkstCanary by @haroonmeer et al.

Anyhow, my experiment for @github and @gitlab went as follows...

Timeline for @github:
1. I pushed the commit with AWS key at 15:27
2. At 15:34 (7 minutes) I got an email from @GitGuardian informing me about possible secret leakage
3. At 15:38 (11 minutes) the token was compromised for the first time.

Within next 2 hours there were 5 more alerts. Traffic came from: Germany, Netherlands, United Kingdom, and Ukraine. According to User-Agents bots used Python and Node.js SDKs.

NOTE: I also received a security alert about vulnerable dependencies.

Timeline for @gitlab:
1. I pushed the commit with AWS key at 16:24
2. At 17:26 (62 minutes) the token was compromised for the first AND last time. Traffic came from France. According to User-Agent the bot used Python SDK.

NOTE: I received no information from @gitlab about leaked secret nor about anything else. I know GitLab does offer this functionality (both secret detection and dependency scanning), but sadly they do so only for Gold or Ultimate. That's a shame!

What can you learn from this? Couple of things:
0. Adversaries scan @github way more than @gitlab
1. If you use GitHub you should look into @GitGuardian
2. If you use GitLab you can upgrade to Gold/Ultimate or take care of secret detection on your own

3. For *proactive* measures against leakage use pre-commit hooks (e.g.… by @thoughtworks)
4. For *reactive* measures against leakage scan for secrets in your CICD (e.g.… by @zricethezav)

That's it folks!


• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Andrzej Dyjak

Andrzej Dyjak Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!