I found your keys — secrets on GitHub
Secrets are, well, secrets, and it boggles the mind that I frequently find them on GitHub. In this post, we will discuss how I often locate API keys, tokens, and other credentials on GitHub and what can be done to prevent this from happening.
Why are you looking for secrets on GitHub anyway?
As part of the OSINT (Open Source Intelligence) or reconnaissance phase of an engagement, I’ll search various types of online sources for information that could potentially be leveraged by a bad actor to gain access to the target. In the case of searching publicly accessible source code repositories, I’m looking for credentials. I find them often.
How does this happen?
I believe this issue stems from lack of training when it comes to best practices involving publishing secrets to source code repositories.
Developers accidentally publish secrets to these public source code repositories, and as a result, this action leaves the organizations they work for vulnerable.
Additionally, the lack of tooling within the CI/CD pipeline that performs secret scanning operations allows for secrets to leak to the public when not intended.
Which tools do you use to find accidentally published secrets?
There are many tools to aid in this process, but I’ll be honest. I perform these searches by hand as I’m often frustrated by the API rate limiting limitations that you hit when using automated tools to perform these searches.
If anyone is interested in a write up about the different tools that aid in this process, or maybe even the types of queries that I use when I perform these searches manually, please let me know and I’ll work on a post detailing those.
How can an organization prevent the leakage of secrets on GitHub?
This list isn’t going to cover all options, but it will cover the top options. If there is interest, I’ll cover these options in greater detail in another post.
- Consider using a key vault — A key vault is a cloud-based service that provides secure storage for secrets. Secrets are encrypted using keys that are managed by the key vault service. The key vault service provides access control to secrets, and auditing of secret access.
- Use encrypted secrets — Encrypted Secrets are encrypted environment variables that you create in an organization, repository, or repository environment. These secrets are available to use in GitHub Actions workflows.
- CI/CD Secret Scanning — As part of a Continuous Integration pipeline, you can integrate tools that will scan commits for secrets and alert when secrets are determined to exist in the commit. An example of one such tool that could aid in this process is Git-Secrets.
- Use a private repository — If you’re going to commit secrets anyway, consider not publishing the code publicly. GitHub offers private repositories.
Can you provide examples of secrets that you find?
I considered showing some active examples, but I obviously don’t want to point out any secrets that are actively available on GitHub that could be used by an attacker.
As I was considering posting an example, I did find some login and password combinations for a major defense contractor just sitting in a GitHub repository though. Yikes.
Summary
The security of source code repositories is often overlooked as a part of an organization’s application security strategy. The truth is, code repositories are full of secrets and sensitive information. This data is often leaked due to poor code security practices or simply due to human error.
In order to mitigate these risks, organizations should consider using secret scanning technology integrated right into their CI/CD pipeline, and active secret scanning of Git repositories associated with these projects.
