Bots that scrap GitHub commits, do they exist?
Posted by Orobarsa3008@reddit | learnprogramming | View on Reddit | 5 comments
We have a heavy virtual assistant project that we started back when we were Git beginners.
Some months ago, while the project was still private, someone uploaded our OpenAI key by mistake, but we quickly solved it. After that, this situation never happened again.
Fastforward a couple of months, yesterday we made the repository public, and our key got instantly leaked.
Since none of our branches had any visible traces of the key being uploaded, we thought it must have been a bot that scraps GitHub's projects and their commits, searching for keys.
So... Do these things exist? I refuse to believe a real person would've gone through our hundreds of commits, and although it's possible that an internal member could've leaked it, the fact that this only happened right after making the repository public makes that unlikely.
CommonNoiter@reddit
Bots are scraping github constantly for all kinds of secrets. If you ever leak a secret you should immediately revoke the permissions of the key then rotate the key you are using, you can then optionally rewrite history to remove the key, but once it's been leaked assume it's been compromised. You can use secret scanning to automatically try and find keys that have been leaked accidentally and revoke them immediately.
Orobarsa3008@reddit (OP)
thank you for your answer, I'll try to use secret scanning in the future.:)
TheRealKidkudi@reddit
Yes, there are absolutely bots that scrape GitHub repos and commits looking for API keys and secrets. There are even tools you can set up to scan your repo and notify you when something that looks like a secret gets committed.
This is one of the reasons people are so strict about committing secrets - even if you immediately push another commit to remove it, that key is in your git history forever (barring the sin of rewriting your own git history). If one gets pushed, you should immediately revoke that key and generate a new one.
Orobarsa3008@reddit (OP)
yeah this will be a good lesson for the future. luckily we barely lost any money.
martinbean@reddit
You should have rotated that API key as soon as you saw it had made your way into your repository.
I find it highly unlikely that there wouldn’t be bots relying on exactly the scenario you’ve presented: publishing a repository containing API keys and secrets to use and exploit.