Hacker News new | past | comments | ask | show | jobs | submit login

What's to take out of this?

Anything else than avoid committing secrets to your source code, and especially, don't include clear-text secrets in files when you build containers?

This is also a 2 years old issue. Am I missing a subtile element to this?




I don’t know if there’s much to broadly learn here.

I will say that it reflects very positively for Shopify: I can imagine plenty of companies downplaying the issue or trying to duck the payout by saying “not our code!” In that sense, this is one of the few bug bounty posts that leaves a company looking good.


Search your existing code for secrets. Review all your commits before pushing.

Some tools can help with that:

https://martinfowler.com/articles/session-secret.html https://github.com/trufflesecurity/trufflehog https://about.sourcegraph.com/blog/no-more-secrets https://github.com/Yelp/detect-secrets https://docs.github.com/en/developers/overview/secret-scanni... https://github.com/godaddy/tartufo https://github.com/GitGuardian/ggshield https://github.com/awslabs/git-secrets https://github.com/sirwart/secrets https://thoughtworks.github.io/talisman/ https://gitleaks.io/




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: