Hacker News new | past | comments | ask | show | jobs | submit login
GitHub access token exposure (hackerone.com)
19 points by malazgirt on Nov 20, 2022 | hide | past | favorite | 3 comments



What's to take out of this?

Anything else than avoid committing secrets to your source code, and especially, don't include clear-text secrets in files when you build containers?

This is also a 2 years old issue. Am I missing a subtile element to this?


I don’t know if there’s much to broadly learn here.

I will say that it reflects very positively for Shopify: I can imagine plenty of companies downplaying the issue or trying to duck the payout by saying “not our code!” In that sense, this is one of the few bug bounty posts that leaves a company looking good.


Search your existing code for secrets. Review all your commits before pushing.

Some tools can help with that:

https://martinfowler.com/articles/session-secret.html https://github.com/trufflesecurity/trufflehog https://about.sourcegraph.com/blog/no-more-secrets https://github.com/Yelp/detect-secrets https://docs.github.com/en/developers/overview/secret-scanni... https://github.com/godaddy/tartufo https://github.com/GitGuardian/ggshield https://github.com/awslabs/git-secrets https://github.com/sirwart/secrets https://thoughtworks.github.io/talisman/ https://gitleaks.io/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: