GitGuardian’s Secret-Spotting Service Finds Over 10 Million Secrets in 2022
In an attempt to help developers determine if their sensitive information, such as passwords, API keys, and private keys, had unintentionally made their way into public GitHub repositories, GitGuardian introduced their HasMySecretLeaked service.
The team at GitGuardian embarked on the challenging task of scanning a vast amount of public GitHub commit data, which resulted in the discovery of millions of secrets. This was a considerable accomplishment, considering the sheer volume of data involved in the process. With over 10 million secrets identified in 2022 alone, it’s evident that the issue of sensitive information exposure is a prevalent and growing concern in the development community.
To address the problem of identifying leaked secrets without compromising security, GitGuardian developed a secret-fingerprinting protocol. This protocol involves encrypting and hashing the secret, followed by the sharing of a partial hash with GitGuardian. This approach minimizes the risk of exposing sensitive information while still allowing for the identification of potential matches.
Moreover, GitGuardian made the exemplary choice to place the toolkit for encrypting and hashing the secret on the client-side, ensuring that users have full control over the process and adding an extra layer of security. With this approach, users can generate the hash locally using a Python script and then input the output into the HasMySecretLeaked web interface without ever disclosing the secret itself.
Additionally, users of the open-source ggshield CLI are provided with the means to inspect the CLI’s code to understand the operations performed when using the command. This level of transparency and control is commendable and demonstrates GitGuardian’s commitment to ensuring the security and peace of mind of their users.
The efforts put forth by GitGuardian to create a secure and privacy-conscious solution have not gone unnoticed. The HasMySecretLeaked checker has seen over 9,000 secrets checked within the first few weeks of its launch, highlighting the widespread need for such a tool in the development community.
For developers concerned about the security of their sensitive information, the HasMySecretLeaked checker offers a means to assess the potential exposure of up to five secrets per day for free via the web interface, and even more using the GitGuardian shield CLI. Furthermore, the transparent and secure approach taken by GitGuardian serves as an inspiration for others looking to create similar solutions that prioritize user privacy and security.
In conclusion, GitGuardian’s work on the HasMySecretLeaked service represents a significant step forward in addressing the pervasive issue of leaked secrets in the development community. By implementing a robust and secure protocol and providing users with transparency and control, GitGuardian has set a commendable standard for security-conscious development tools.