A university research team stored database passwords in password.txt for a COVID-19 data portal. A security researcher found the file via GitHub search, notified the team, and found that the same credentials also unlocked an internal server with 10,000 student Social Security numbers. The university faced a GDPR fine of €200,000.
Install a pre-commit hook that scans for high-risk patterns: password.txt github
# .pre-commit-config.yaml
repos:
- repo: https://github.com/Yelp/detect-secrets
rev: v1.5.0
hooks:
- id: detect-secrets
args: ['--baseline', '.secrets.baseline']
Now git commit will block any attempt to add a file containing potential secrets. A university research team stored database passwords in
-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA... Now git commit will block any attempt to
Attackers don't manually scan for these. They use automated scripts that leverage GitHub’s REST API to search for filename:password.txt in real-time.
Deleting the file and committing a new version is not enough. The file remains in the repository’s history. Use git filter-branch or (preferably) BFG Repo-Cleaner:
# Using BFG Repo-Cleaner
java -jar bfg.jar --delete-files password.txt my-repo.git
git reflog expire --expire=now --all && git gc --prune=now --aggressive
git push --force