May 9, 2022 github opsec
Every morning I tend to browse a few feeds: r/programming, r/linux, and Github Trending. That’s how I stumbled across ggshield and as a result, also BFG Repo-Cleaner. I decided to sign up for GitGuardian to see if it’d find anything feeling quite confident. Quickly my hubris was shattered with 31 open secrets!
Now, full disclosure, 13 of the 31 secrets were in a repository that a friend added me to for some help and another 15 were in private repositories. However, I would consider myself very careful with what I commit so this number was still quite shocking.
I had a quick look into every incident to see if it actually required attention. One stood out and I cannot believe I did this… I committed my SSH private key.
Some credit where it’s due though, the commit message when deleting it was “jan you’re a moron” and I must have generated a new private key when I realized. Nonetheless, why I didn’t look into cleaning the commit message is beyond me so let’s look into that now.
I previously mentioned the BFG Repo-Cleaner so I quickly installed that with
yay -S bfg. Looking at
bfg -h I see
--delete-folders <glob> delete folders with the specified names (eg '.svn', '*-tmp' - matches on folder name, not path within repo)
which is PERFECT.
git clone --mirror REPO_URL (the
--mirror is very important) and cd into the project dir. I ran
bfg --delete-folders "ssh" ./ followed by
git reflog expire --expire=now --all && git gc --prune=now --aggressive (this big command is printed at the end of the bfg logs to ensure the updates are propagated). One final command,
git push, and now hey presto it’s gone!
I learnt a few things today:
git addsomething unsavoury without thinking about it.
Yes the private key had been changed but it might still be listed as an authorized key on another server. You just don’t know and as such, being proactive about it and cleaning your git history is probably a good idea.