[PSA] Avoiding leaking secret keys in chromium source via keyhunt
Anthony Polito
Recently we've had some accidental submissions of API keys/secrets that would have been caught by keyhunt, an internal security analyzer that does a good job of detecting secrets before they get saved by Gerrit. In order to prevent future leaks, we will be turning on keyhunt for all chromium repos on Monday, April 19th, 2021.
In cases where the upload is intentional you can override this behavior with the --push-option flag:
git push --push-option=nokeycheck
git cl upload --push-option=nokeycheck
(Don’t worry! The push/upload failure message will remind you of this, do not feel like you need to memorize yet another git flag.)
It's possible that this may catch existing issues, and if you need to submit you can always override the check. But if it's a real secret that is being caught, it would be nice to let the correct team know that they have a problem.
If you have any issues please file a bug under Infra>Codereview>Gerrit component.
--Chops Source Team