Read on Twitter
Couple of days ago I conducted a small experiment WRT secrets commited to public git repositories. My plan was simple: (1) Generate a secret, (2) commit it to the public repository, and (3) see what happens. Thread time! 
1/8
1/8
BTW. For the secret I've chosen AWS key generated with @ThinkstCanary by @haroonmeer et al.
Anyhow, my experiment for @github and @gitlab went as follows...
2/8
Anyhow, my experiment for @github and @gitlab went as follows...
2/8
Timeline for @github:
1. I pushed the commit with AWS key at 15:27
2. At 15:34 (7 minutes) I got an email from @GitGuardian informing me about possible secret leakage
3. At 15:38 (11 minutes) the token was compromised for the first time.
3/8
1. I pushed the commit with AWS key at 15:27
2. At 15:34 (7 minutes) I got an email from @GitGuardian informing me about possible secret leakage
3. At 15:38 (11 minutes) the token was compromised for the first time.
3/8
Within next 2 hours there were 5 more alerts. Traffic came from: Germany, Netherlands, United Kingdom, and Ukraine. According to User-Agents bots used Python and Node.js SDKs.
NOTE: I also received a security alert about vulnerable dependencies.
4/8
NOTE: I also received a security alert about vulnerable dependencies.
4/8
Timeline for @gitlab:
1. I pushed the commit with AWS key at 16:24
2. At 17:26 (62 minutes) the token was compromised for the first AND last time. Traffic came from France. According to User-Agent the bot used Python SDK.
5/8
1. I pushed the commit with AWS key at 16:24
2. At 17:26 (62 minutes) the token was compromised for the first AND last time. Traffic came from France. According to User-Agent the bot used Python SDK.
5/8
NOTE: I received no information from @gitlab about leaked secret nor about anything else. I know GitLab does offer this functionality (both secret detection and dependency scanning), but sadly they do so only for Gold or Ultimate. That's a shame!
6/8
6/8
What can you learn from this? Couple of things:
0. Adversaries scan @github way more than @gitlab
1. If you use GitHub you should look into @GitGuardian
2. If you use GitLab you can upgrade to Gold/Ultimate or take care of secret detection on your own
7/8
0. Adversaries scan @github way more than @gitlab
1. If you use GitHub you should look into @GitGuardian
2. If you use GitLab you can upgrade to Gold/Ultimate or take care of secret detection on your own
7/8
3. For *proactive* measures against leakage use pre-commit hooks (e.g. https://github.com/thoughtworks/talisman/ by @thoughtworks)
4. For *reactive* measures against leakage scan for secrets in your CICD (e.g. https://github.com/zricethezav/gitleaks by @zricethezav)
That's it folks!
8/8
4. For *reactive* measures against leakage scan for secrets in your CICD (e.g. https://github.com/zricethezav/gitleaks by @zricethezav)
That's it folks!
8/8
