Git Secrets Leaks

Managing secrets in Git repositories is a critical aspect of maintaining secure software development practices. This article will walk you through the common issues related to Git secrets leaks and how to prevent them.

1. What's Git? ???

Description:

• Git is a version control system used to track changes in a set of files. It is mainly used for source code management by software developers.
• Git is everywhere! Its support for distributed and non-linear workflows with branches allows multiple developers to work in parallel and make code changes faster.

Illustration: Shows a timeline with branches representing different features and the main branch.

2. Committing Secrets ??

Description:

• Developers sometimes mistakenly commit sensitive information, such as usernames and passwords, in their code.
• Example:

package main
import ( )
username := "root"
password := "1234"        

$ git commit -am "add main"
$ git push        

Illustration: Demonstrates a commit with sensitive information and a warning symbol.

3. Deleting Secrets after Commit ??

Description:

• Simply deleting secrets from the file and committing the changes does not fully remove the secrets from the repository history.
• Commands:

$ git rm main.go
$ git commit -m "Remove main"
$ git push        

• Warning: The secret still exists in the commit history.

Illustration: Shows a developer realising their repository is public and the secret is exposed, then attempting to delete it.

4. Problem ??

Description:

• Git keeps a history of everything. This means your secret is deeply hidden in Git history, just not in the latest snapshot.
• Reading previous commits is easy:

$ git reflog show HEAD
$ git checkout <commit-hash>
$ cat main.go        

• Lessons:Never store secrets in Git.If you ever do, don't just remove secrets. Make sure to revoke and rotate your secrets.

Illustration: Explains the persistence of secrets in the Git history.

5. GitHub Secrets Exploit ???♂?

Description:

• Example scenario: An intern commits code with hardcoded credentials:

package main
import ( )
username := "admin"
password := "Solarwinds123"        

• The credentials are exposed, and an attacker gains access.

Illustration: Depicts an intern writing insecure code, committing it, and an attacker exploiting the exposed credentials.

Important: Always ensure that secrets are managed properly, and never commit sensitive information to your repositories.