Ahh shhgit! – Find leaked secrets in real time across GitHub, GitLab and BitBucket

Software developers can accidentally leak sensitive information, particularly secret keys for third party services, across code hosting platforms such as GitHub, GitLab and BitBucket. These secrets — including the data they were protecting — end up in the hands of bad actors which ultimately leads to significant data breaches.

Imagine being able to monitor the entirety of GitHub, GitLab and BitBucket to find any secrets accidentally committed in real time. Well, we’re in luck. All three platforms provide a public ‘real time firehose’ events API, that details various activity streams on the site, including code commits.

Ahh shhgit! will watch this real-time stream and pull out any accidentally committed secrets.

shhgit: find secrets in real time across GitHub, GitLab and BitBucket →
Ahh shhgit! (Introductory Blogpost) →

⚠️ Don’t think you can quickly undo the commit (and force push) to remove your leaked secret. Once it’s out there, it will be abused. See The $2375 Amazon AWS mistake for example.

Published by Bramus!

Bramus is a frontend web developer from Belgium, working as a Chrome Developer Relations Engineer at Google. From the moment he discovered view-source at the age of 14 (way back in 1997), he fell in love with the web and has been tinkering with it ever since (more …)

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.