Reputation: 11
I pushed api key to public repository in github
Yes, i did it. What amaze me is that bots are scanning github for searching free api keys. And i can understand that, but what is weird. They were able to activate different api (compute engine) host 3 virutal machines and use it to mine crypto. A question is, isn't it vulnerabilty that they can host virtual machines and use different api ? I had to shut down whole project.
Upvotes: 1
Views: 1215
Answers (2)
Reputation: 1326616
Note that, since Aug. 2021:
Secret scanning org-level REST API
GitHub Advanced Security customers can now retrieve private repository secret scanning results at the organization level via the GitHub REST API.
This new endpoint, in beta, supplements the existing repository-level endpoint.
The API is: GET /organizations/:organization_id/secret-scanning/alerts.
See "About secret scanning for private repositories"
In your case, querying that new (still beta) API endpoint can be a good practice, to be alerted before an attacker has time to do much damage.
And this is also for public repositories!
Secret scanning is now available for free on public repositories (Dec. 2022)
Previously, only organizations with GitHub Advanced Security could enable secret scanning's user experience on their repositories.
Now, any admin of a public repository on GitHub.com can detect leaked secrets in their repositories with GitHub secret scanning.The new secret scanning user experience complements the secret scanning partner program, which alerts over 100 service providers if their tokens are exposed in public repositories.
You can read more about this change and how secret scanning can protect your contributions in our blog post.
Upvotes: 0
Reputation: 4443
Depending on the role assigned to compromised service-account - attacker can do everything or nothing.
There are some basic "best practices" regarding keys and service accounts that should be usefull to you.
Generally use (if possible) different service account to manage VM's or/and rotate keys weekly or twice a week (just like the Google-managed ones) and avoid putting any API keys into repositories that can/will be synchronised with public ones :)
Yes - sounds silly but slip-up's happen and this will make unathorised access way less likely or impossible.
Also fallowing "least privilege" rule may be worth going for - compromised credentials will not be much usefull then.
Upvotes: 1
Related Questions
- GCP REST API authentication missing
- Google Cloud authentication with JSON keyfile using cURL
- Get Permission denied (publickey) for Git push to Google Cloud Source Repository with Google Cloud SDK authentication method on Windows 10
- Issues with authentication again GCP Source Repository with publickey
- How to add ssh key to project in GCP
- google api key gets 401
- git push cloud showing invalid authentication credentials error
- how to authenticate correctly to Google Cloud Source Repositoriess with sdk
- Rest API for Google Cloud Api Key Credentials
- Authentication failed while using git pull