Part of what we do for clients is monitor GitHub public repositories looking for times when their code and secrets have leaked.
If we find any other secrets along the way, we feel it is in the best interest of the security of the internet overall to make the committer aware this has happened.
As you likely already know, once any hardcoded credentials are exposed in a public repository, it can take only a few minutes for bots to find and start trying to exploit them.
We strive to do better and would love your feedback if this was a false positive. Thanks for your help in improving our efforts to protect public GitHub users.
This means just removing a secret from the next commit does not remove the credential from the repo.
We recommend treating every credential committed in public as a compromised credential and rotating it as soon as possible.
Read more about removing a commit from your git history.
The @GitGuardian service is awesome. Just wanted to point that out! #livesaviour
@GitGuardian thnx for helping detect the leak of my AWS keys on Github saved me a lot of potential embarrassment in front of employers
Tried out @GitGuardian today & it worked really well. Wanted to convert a private repo into a public repo but was worried I left some keys in a historic commit. Anxiety gone.
So secrets/tokens make it into repos all the time and it is unfortunate. But you can make it really easy to manage and get notified of when this happens. I use GitGuardian & its fantastic. Super easy to setup!! NO excuse not to do this. https://t.co/vv2zUHPowT