Ahh shhgit! – Find leaked secrets in real time across GitHub, GitLab and BitBucket

Software developers can accidentally leak sensitive information, particularly secret keys for third party services, across code hosting platforms such as GitHub, GitLab and BitBucket. These secrets — including the data they were protecting — end up in the hands of bad actors which ultimately leads to significant data breaches.

Imagine being able to monitor the entirety of GitHub, GitLab and BitBucket to find any secrets accidentally committed in real time. Well, we’re in luck. All three platforms provide a public ‘real time firehose’ events API, that details various activity streams on the site, including code commits.

Ahh shhgit! will watch this real-time stream and pull out any accidentally committed secrets.

shhgit: find secrets in real time across GitHub, GitLab and BitBucket →
Ahh shhgit! (Introductory Blogpost) →

⚠️ Don’t think you can quickly undo the commit (and force push) to remove your leaked secret. Once it’s out there, it will be abused. See The $2375 Amazon AWS mistake for example.

Visual Studio Code: Visually Hide Secrets in Environment Files with Cloak

Sparked by an idea by Wes Bos, John Papa has created and released a first version of Cloak:

Cloak hides/shows your secrets in environment files, to avoid accidentally sharing them with everyone who sees your screen.

Handy when doing screencasts and the like.

Do note that it only visually hides the secrets, no changes are made. Only ENV files are supported for now.

Visual Studio Marketplace: Cloak →