
Show HN: GitMonKey – monitor your repos and commits for exposed private keys - shaharsol
https://gitmonkey.io/
======
kierenj
Before I allow this read access to all of my code, what kind of checks should
I run through on GitMonKey as an organisation/product?

Edit: when I try to go back to the homepage from the "Install GitHub
Integration" page, I'm redirected back. Probably just paranoia.. but still. I
want to learn more about the people behind this before clicking this button.

Edit 2: no Twitter, no incorporated entity, no names of the people behind
this, nothing to reassure. No account management screen I can see, no way to
revoke GitMonkey's access. Is this just a massively dodgy idea?

~~~
shaharsol
It's a product of Tikal Lab, which is a unit in
[http://tikalk.com](http://tikalk.com)

------
adtac
A little nit-picky, but your "What Our Users Say about Us" section is just
people describing their mistakes. It says literally nothing about your
platform itself.

------
sevagh
How about this one?
[https://github.com/dxa4481/truffleHog](https://github.com/dxa4481/truffleHog)

Posted here a few months ago.

~~~
ezekg
Also, if you want to have more control over what gets matched (as opposed to
only checking entropy): [https://github.com/ezekg/git-
hound](https://github.com/ezekg/git-hound) (I'm the author of this one.)

------
avh02
[http://pre-commit.com/hooks.html](http://pre-commit.com/hooks.html)

calling attention to detect-private-key and detect-aws-credentials
(disclaimer-ish: was original contributor on the latter hook but been way
expanded since then)

edit: obviously each dev needs to have this set up, not a catch-all third
party tool.

~~~
brianjking
Have an example hook I can test out? Thanks!

~~~
avh02
what do you mean? like one i recommend for a simple test? or a sample config?

------
SmellTheGlove
One more: I added a repo that I know had some keys in it, and GitMonkey didn't
find them. Here's the specifics:

I originally made a bunch of commits that included my config.py file. I
realized later that I didn't want that public, so I added it to the ignore and
had git remove it. However, if you look through my commit history, you can
still see the config.py changes in earlier commits and the keys are buried in
there. Since I was/am a git noob, I didn't create branches for those commits.
They all went to master, so they're in the commit history of the master
branch.

I'm guessing this tool is scanning the branches themselves, but you may want
to scan the commit history within those branches if GitHub will let you.
Idiots like me that don't know how to use Git properly are probably the ones
more likely to make this mistake!

------
DINKDINK
It seems this should be a standard product offering for GitHub

~~~
dberg
Agreed. Or software you can just run internally. Not a fan of just opening up
read access to my code to a new startup.

~~~
fredley
Yeah, what if gitmonkey accidentally reveal a secret key? Now somebody has a
curated list of everyone's git's secret keys - even the ones in private repos!

~~~
shaharsol
If GitMonkey has your key on record - it means we're not the only ones having
it. You should revoke it immediately. So even if our db is breached, it should
only contain a list of useless revoked keys.

~~~
fredley
> should

~~~
MightySCollins
I am also really scared by the suggestion that they might 'take a leap' and
check if it's valid... Then they have a list of keys and whether they work or
not

------
rgun
* Why a separate service and not a pre-commit hook? * If a third-party has seen the key, hasn't the damage already been done?

~~~
shaharsol
Because it's harder to enforce on a team whereas a central service (also as a
2nd security layer) deals with it on behalf of the team/org

~~~
ohyeshedid
It often takes more thought and effort to do things properly. This seems like
another service that treats the symptoms of a problem rather than the problem
itself. That kind of solution encourages careless behaviour, because someone
will come behind me and clean it up. Encouraging best practices is a better
investment.

>(also as a 2nd security layer)

Except when it's not.[1] That means it gives careless folks a false sense of
security, which I think conveys more risk than no security at all.

[1]:
[https://news.ycombinator.com/item?id=14157870](https://news.ycombinator.com/item?id=14157870)

------
MightySCollins
Why does it need to auth using Google? Can it not just use GitHub like the
second getting started button suggests?

~~~
shaharsol
Because we need your email and dont want to take it from GitHub because we may
span to gitlab, bitbucket etc

~~~
MightySCollins
Hmm could you not just take it from GitHub though. If you chose to span others
they could also provide an email or you could link accounts together.

------
yeukhon
I believe for AWS,. If attacker gains your key and generated a STS session
key, it used to you can't revoke them (that is revoking me does not revoke the
key I generate from STS)z i don't know if they fixed it or not, I did a test
after someone spoke to me about a year ago.

------
reddytowns
I was thinking of another strategy could be a git plugin that had a config
file of salted hashed secrets. If someone tried to commit something with a
secret, it could then stop it _before_ it was leaked.

Of course, you'd need to collect all the secrets beforehand, but if you are
willing to do that, it would seem to be a better solution.

I was thinking this and later I fell asleep and had this dream, where my
girlfriend kept saying, "Hey... Hey... Hey..." over and over again. I woke up
and it turns out there was a bird chirping every few seconds at the same
interval.

Time is strange, though. I saw a star trek episode recently where there was
time dilation on this particular planet. They were trying to beam out the
occupants. It got me thinking, if I could beam out to a spaceship where, say
every second on the spaceship was a year on planet earth, would I do it? I
have this vague feeling of regret, like I'm missing all those moments on
between on Earth while I'm there. I suppose I'd experience the same number of
moments, spread out as they were, though.

------
nailer
Weirdly AWS and GitHub seems to have something similar. I know a couple of
folks (not me!) who've uploaded AWS credentials to OSS projects on GitHub and
been contacted by AWS about it, after AWS has revoked the credentials.

~~~
antaviana
For AWS it makes sense, because typically AWS discounts the customer the
damage made by stolen credentials.

For example, if a dozen EC2 instances are launched with credentials poached
from Github to mine bitcoins, I know AWS used to remove the rogue extra charge
from the customer bill, as a token of gratitude (to avoid losing the customer
by a sense of defenselessness).

~~~
yeukhon
Yes. AWS actually does scan on a regular basis. They have caught some before
any harms done. I don't know how often though.

------
rorosaurus
Hey shaharsol, this looks great. Double check your strings though :)

"Scan 58f90084fa38b600114b33ea succerssfully started."

Also the "Profile" and "settings" links don't go anywhere.

------
iNeal
Easier solution: don't commit private keys.

Pro-tip: use `git add -p`

------
jwilk
To see it with JS disabled, disable also CSS.

------
sleepychu
Page doesn't load with default umatrix config.

------
irfanka
clever name

------
Dunedan
Sounds like a scam to me:

\- No imprint or any other kind of information who is behind this service on
their website

\- Testimonials which talk about leaked credentials and not about how
GitMonkey saved them

\- Not even a privacy policy stating what they do with your source code

~~~
shaharsol
It's a product of Tikal Lab, which is a unit in
[http://tikalk.com](http://tikalk.com)

We will add a privacy policy, didn't even notice we don't have one, it's just
launching...

~~~
kierenj
I would say that if you've forgotten to consider this side of things, it's a
big stretch to ask people to trust your app to read all of their source code,
which even has the intent to find secrets. What else have you forgotten?

