

Tell HN: GitHub should take responsibility for publishing AWS keys - hoodoof

It&#x27;s a common problem, happens all the time, and the AWS keys are in a known format.<p>GitHub should take some responsibility for preventing publishing of AWS keys.
======
techjuice
GitHub is just a host of the repo, the owner has ultimate responsibility to
insure they are not uploading their private keys, as other Git code repo hosts
and software providers would also need to accommodate the enhanced security
requirements. If they took on this task then they would also need to insure
people are not uploading other private information (e.g. database passwords,
API keys, etc.). Yes, it may be better for the entire Github community in the
long run but becoming a source code security company may not be something that
GitHub wants to get into at this point.

It would be nice if there were pre-checks client side on git status, diffs,
branches, checkout, merges, init, add and commit that could quickly be checked
to warn the user about the potential issue. Something like this would be a
nice addition for helping user's audit their code for vulnerabilities that
they may not have known about. Though this would turn Git into a security
product too.

Creating the extensions required for this might be a little complicated for
the average user but if something were created, secured, reviewed and
regularly updated this might be something that can be matured into easy to use
git extensions or something officially supported by Git or GitHub.

------
iamdave
I don't think I agree. It would instill good will if git could detect what
appeared to be a private key in your code when doing a `git push` and warned
you "This file appears to contain a private key, are you sure you want to push
this commit? (y/n)" but the responsibility of maintaining security of their
keys ultimately lies with the user _using_ those keys.

Otherwise you're putting github in a scenario for fault that doesn't originate
with them and that's rather unfair IMO.

~~~
sgrove
Perhaps some git pre-commit hooks that could easily be installed via homebrew?

~~~
iamdave
That gives me an interesting weekend project.

------
davismwfl
That's like saying Kwikset (or any lock manufacturer) should be responsible
because I left the key in my deadbolt and someone used it to break into my
house.

I do agree though that a pre commit check would be nice but it isn't GitHub's
responsibility.

