客座文章：我如何扫描 GitHub 的所有“哎呀提交”以查找泄露的秘密◆Truffle 安全公司

发布于 8 月 3 日

Main Points: A white-hat hacker Sharon Brizinov found that even deleted commits on GitHub can be accessed and contain secrets. He used the Github Event API and GH Archive to scan for "Oops commits" (zero-commit force push events) and discovered thousands of active secrets. His research included manual search, a vibe-coded triage tool, and an attempt at using AI. He also provided a case study of preventing a massive supply-chain compromise by reporting a leaked GitHub Personal Access Token.
Key Information:
- Deleting a commit using force push doesn't actually delete it from GitHub; it just removes Git's reference.
- The Github Event API allows retrieval of information about events in GitHub, and the GH Archive archives these events.
- "Oops commits" can be identified by looking for push events with zero commits.
- Secret hunting tools like TruffleHog can be used to scan for secrets in deleted commits.
- Manual search, vibe-coded triage tools, and AI can be used to review and prioritize secrets.
Important Details:
- Sharon used a custom version of an open-source tool to scan all of GitHub's "Oops commits" since 2020 and found many secrets.
- He manually explored the data by filtering out commits from authors with generic email addresses and focusing on those with corporate emails.
- He used a front-end-only interface with filters to quickly review and mark secrets.
- The most interesting leaked secrets were GitHub PAT tokens and AWS credentials.
- The Istio example shows the potential impact of a leaked secret with admin access to many repositories.
- Istio is an open-source service mesh used by many organizations.
- The team at Istio acted quickly to revoke the leaked GitHub PAT.

阅读 10