A new service called HasMySecretLeaked has been introduced to address the long-standing issue of exposing hard-coded credentials and sensitive secrets through public code repositories. According to reports, over 10 million instances of credential leaks were detected on GitHub in 2022 alone. To combat this problem, GitGuardian, a security firm, has collected a database of 20 million exposed records since 2020, which can now be securely and privately checked using the HasMySecretLeaked service.
While GitHub already has its own service for notifying repository owners about detected secrets in their public repositories, GitGuardian’s service covers a wider range of secrets. The service monitors various types of hard-coded secrets, including cloud API access keys, database passwords, encryption keys, username and password combinations, messaging tokens, SSH credentials, and email passwords.
GitGuardian has been diligently scanning every public code commit on GitHub for hard-coded secrets for several years. The company has continuously refined its detection algorithms, expanded the list of supported credential formats, and minimized false-positive rates. In 2020, they discovered 3 million exposed secrets on GitHub, and the numbers increased to 6 million in 2021 and over 10 million in 2022.
Based on their research and findings, GitGuardian has released an annual report called “The State of Secrets Sprawl.” The company has also utilized this data to develop and enhance its own code security platform. This platform aims to prevent developers and engineers from accidentally leaking secrets in their code, build scripts, Docker images, configuration files, and more.
One of the key features of HasMySecretLeaked is its ability to search not only an organization’s own repositories but also repositories owned by other parties. While other secret-detection services are primarily focused on serving repository owners, this service allows organizations to check if any of their known secrets were leaked anywhere on GitHub. This includes instances where a developer publishes a piece of code in their own public repository and unintentionally forgets to remove a token belonging to the organization. Similarly, developers who contribute to community projects may accidentally leave private credentials in the code.
This new service from GitGuardian provides additional security measures for organizations by checking for leaked secrets beyond their own repositories. By expanding the scope of coverage, organizations can gain more insights into the security of their secrets and take necessary actions to mitigate potential risks. With the increasing number of credential leaks on platforms like GitHub, it is crucial for organizations to make use of such services to protect their sensitive information.