Hacker News new | comments | show | ask | jobs | submit login
Show HN: GitMonKey – monitor your repos and commits for exposed private keys (gitmonkey.io)
70 points by shaharsol 11 months ago | hide | past | web | favorite | 45 comments

Before I allow this read access to all of my code, what kind of checks should I run through on GitMonKey as an organisation/product?

Edit: when I try to go back to the homepage from the "Install GitHub Integration" page, I'm redirected back. Probably just paranoia.. but still. I want to learn more about the people behind this before clicking this button.

Edit 2: no Twitter, no incorporated entity, no names of the people behind this, nothing to reassure. No account management screen I can see, no way to revoke GitMonkey's access. Is this just a massively dodgy idea?

You wouldn't revoke its access on their end, you'd do it on GitHub's end: https://github.com/settings/applications

Otherwise, GH would still have the approval on file (there's no way for them to know you deauthorized on the GitMonkey side) so they'd instantly be able to get a token again.

It's a product of Tikal Lab, which is a unit in http://tikalk.com


that said I will try to fix everything you mention and make it more comfortable for new ppl to join, thx for the feedback!


A little nit-picky, but your "What Our Users Say about Us" section is just people describing their mistakes. It says literally nothing about your platform itself.

How about this one? https://github.com/dxa4481/truffleHog

Posted here a few months ago.

Also, if you want to have more control over what gets matched (as opposed to only checking entropy): https://github.com/ezekg/git-hound (I'm the author of this one.)


calling attention to detect-private-key and detect-aws-credentials (disclaimer-ish: was original contributor on the latter hook but been way expanded since then)

edit: obviously each dev needs to have this set up, not a catch-all third party tool.

Have an example hook I can test out? Thanks!

what do you mean? like one i recommend for a simple test? or a sample config?

One more: I added a repo that I know had some keys in it, and GitMonkey didn't find them. Here's the specifics:

I originally made a bunch of commits that included my config.py file. I realized later that I didn't want that public, so I added it to the ignore and had git remove it. However, if you look through my commit history, you can still see the config.py changes in earlier commits and the keys are buried in there. Since I was/am a git noob, I didn't create branches for those commits. They all went to master, so they're in the commit history of the master branch.

I'm guessing this tool is scanning the branches themselves, but you may want to scan the commit history within those branches if GitHub will let you. Idiots like me that don't know how to use Git properly are probably the ones more likely to make this mistake!

It seems this should be a standard product offering for GitHub

Agreed. Or software you can just run internally. Not a fan of just opening up read access to my code to a new startup.

Yeah, what if gitmonkey accidentally reveal a secret key? Now somebody has a curated list of everyone's git's secret keys - even the ones in private repos!

If GitMonkey has your key on record - it means we're not the only ones having it. You should revoke it immediately. So even if our db is breached, it should only contain a list of useless revoked keys.

> should

I am also really scared by the suggestion that they might 'take a leap' and check if it's valid... Then they have a list of keys and whether they work or not

If you signed up for a service specifically to detect when you compromise your secrets, and the service tells you about it, and you don't change the secret... Why are you then worried that the other party gets compromised?

There are git hooks that u can run locally, but think as a manager of an R&D team of 10-20 developers. You need to make it centralised.

No, if I want to do my job correctly I'll encourage best practices and address careless deviations. I won't encourage bad behaviour by outsourcing simple workflow tooling to a third party that doesn't have any accountability if they drop the ball.

Whether you realize it or not, you're advocating for increasing surface area and risk. You're offering a service to people with bad opsec while simultaneously asking them to trust your opsec; none of which is a good solution to the actual problem.

Github does this actually but only from github access tokens generated from their API... if you generate an oauth access token and commit it, they will automatically revoke it.

* Why a separate service and not a pre-commit hook? * If a third-party has seen the key, hasn't the damage already been done?

Because it's harder to enforce on a team whereas a central service (also as a 2nd security layer) deals with it on behalf of the team/org

It often takes more thought and effort to do things properly. This seems like another service that treats the symptoms of a problem rather than the problem itself. That kind of solution encourages careless behaviour, because someone will come behind me and clean it up. Encouraging best practices is a better investment.

>(also as a 2nd security layer)

Except when it's not.[1] That means it gives careless folks a false sense of security, which I think conveys more risk than no security at all.

[1]: https://news.ycombinator.com/item?id=14157870

Is there a tool that can do this check as a pre-commit hook?

Why does it need to auth using Google? Can it not just use GitHub like the second getting started button suggests?

Because we need your email and dont want to take it from GitHub because we may span to gitlab, bitbucket etc

Hmm could you not just take it from GitHub though. If you chose to span others they could also provide an email or you could link accounts together.

I believe for AWS,. If attacker gains your key and generated a STS session key, it used to you can't revoke them (that is revoking me does not revoke the key I generate from STS)z i don't know if they fixed it or not, I did a test after someone spoke to me about a year ago.

I was thinking of another strategy could be a git plugin that had a config file of salted hashed secrets. If someone tried to commit something with a secret, it could then stop it before it was leaked.

Of course, you'd need to collect all the secrets beforehand, but if you are willing to do that, it would seem to be a better solution.

I was thinking this and later I fell asleep and had this dream, where my girlfriend kept saying, "Hey... Hey... Hey..." over and over again. I woke up and it turns out there was a bird chirping every few seconds at the same interval.

Time is strange, though. I saw a star trek episode recently where there was time dilation on this particular planet. They were trying to beam out the occupants. It got me thinking, if I could beam out to a spaceship where, say every second on the spaceship was a year on planet earth, would I do it? I have this vague feeling of regret, like I'm missing all those moments on between on Earth while I'm there. I suppose I'd experience the same number of moments, spread out as they were, though.

Weirdly AWS and GitHub seems to have something similar. I know a couple of folks (not me!) who've uploaded AWS credentials to OSS projects on GitHub and been contacted by AWS about it, after AWS has revoked the credentials.

For AWS it makes sense, because typically AWS discounts the customer the damage made by stolen credentials.

For example, if a dozen EC2 instances are launched with credentials poached from Github to mine bitcoins, I know AWS used to remove the rogue extra charge from the customer bill, as a token of gratitude (to avoid losing the customer by a sense of defenselessness).

Yes. AWS actually does scan on a regular basis. They have caught some before any harms done. I don't know how often though.

I wonder if they scan GH periodically, or simply see abnormal action on these accounts that are accessed by the exposed keys.

Hey shaharsol, this looks great. Double check your strings though :)

"Scan 58f90084fa38b600114b33ea succerssfully started."

Also the "Profile" and "settings" links don't go anywhere.

Easier solution: don't commit private keys.

Pro-tip: use `git add -p`

To see it with JS disabled, disable also CSS.

Page doesn't load with default umatrix config.

clever name

Sounds like a scam to me:

- No imprint or any other kind of information who is behind this service on their website

- Testimonials which talk about leaked credentials and not about how GitMonkey saved them

- Not even a privacy policy stating what they do with your source code

It's a product of Tikal Lab, which is a unit in http://tikalk.com

We will add a privacy policy, didn't even notice we don't have one, it's just launching...

I would say that if you've forgotten to consider this side of things, it's a big stretch to ask people to trust your app to read all of their source code, which even has the intent to find secrets. What else have you forgotten?



Except that they disabled the scrolljacking, which is a nice touch at least.

Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact