Do you know if you have exposed secrets in your github repositories?

18 views
Skip to first unread message

Michael Wimble

unread,
May 20, 2026, 2:07:41 PM (yesterday) May 20
to hbrob...@googlegroups.com
Because of an article on Slashdot about a really, really stupid github mistake someone made about exposing passwords and other secrets, I recently asked AI to look over not only my personal repos, both public and private but to also look into the complete commit history of every repo, looking for secrets that might be exposed in my many repos. I asked the github AI to suggest an e-mail to share where you can also check for exposed information. Here it is:

I recently audited my GitHub repos for exposed secrets and recommend you do the same.

Please ask your AI assistant something like:

“Look through all of my GitHub repositories, including private ones if you have access, and check both the current files and searchable git history for exposed secrets such as passwords, API keys, tokens, private keys, .env files, credentials.json, cloud credentials, SSH keys, and anything secret-adjacent. Prioritize confirmed live secrets, list exact files/paths, distinguish real leaks from placeholders/examples, and suggest concrete cleanup steps including rotation and git history rewriting if needed.”


Also manually search your code for:

  • BEGIN PRIVATE KEY
  • AKIA
  • ghp_
  • github_pat_
  • AIza
  • api_key
  • secret
  • token
  • password
  • .env
  • credentials.json
  • id_rsa
  • id_ed25519


If you find a real secret:

  1. Rotate/revoke it immediately.
  2. Remove it from the current code.
  3. If it was pushed, consider removing it from git history too.

For future prevention, I strongly recommend setting up both a local pre-commit secret scan and GitHub secret scanning.


Option A: pre-commit + detect-secrets

bash
python3 -m pip install --user pre-commit detect-secrets
cd /path/to/your/repo
cat > .pre-commit-config.yaml <<'EOF'
repos:
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.5.0
    hooks:
      - id: detect-secrets
        args: ['--baseline', '.secrets.baseline']
EOF

detect-secrets scan > .secrets.baseline
pre-commit install
pre-commit run --all-files


Option B: gitleaks pre-commit hook Install gitleaks, then in your repo:

bash
mkdir -p .githooks
cat > .githooks/pre-commit <<'EOF'
#!/usr/bin/env bash
gitleaks protect --staged --verbose
EOF
chmod +x .githooks/pre-commit
git config core.hooksPath .githooks


Also add ignores for common local secret files:

gitignore
.env
.env.*
*.pem
*.key
*.p12
*.pfx
credentials.json
people.json
secrets.yml
secrets.yaml


On GitHub, also enable secret scanning / push protection in repository security settings if your plan supports it.

Chris Albertson

unread,
May 20, 2026, 2:47:46 PM (yesterday) May 20
to hbrob...@googlegroups.com
Thanks.  I’m dumb and never thought about what was in the historic versions.  I think a password was put there before I got slightly smarter about it.  Someone could go back a year or two and find it.   But on the other hand, that password is not so valuable.
Now I’m trying to think about the best way.   If you leave the files out the software will not build.  I’m thinking example passwords are the best way.  Just use “mySSID: and “myPassord” and “DEADBEEF” for any hex format fields.

While on the subject of Internet safety, I just bought a new router and I was logged into it and just looking around and noticed that I have a HUGE pile of IPv6 devices.  In fact, my IPv6 address outnumbers the IPv4 address and IPv6 is not NAT’d so potentially they could be public.   Potentially, someone in some faraway place could “ping” one of my light bulbs or a thermostat.      It is worth at least looking to see it you have IPv6 handled reasonably well.     Being an “old guy,” I had not thought much about IPv6 until recently.

Pito Salas

unread,
May 20, 2026, 4:52:38 PM (yesterday) May 20
to hbrob...@googlegroups.com
Check out a free tool called doppler.com. It lets you keep your secrets securely in the cloud and then use an encantation to pull them into your various files, yamls etc.

Best,

Pito

Boston Robot Hackers &&
Comp. Sci Faculty, Brandeis University (Emeritus)
> bashpython3 -m pip install --user pre-commit detect-secrets
> cd /path/to/your/repo
> cat > .pre-commit-config.yaml <<'EOF'
> repos:
> - repo: https://github.com/Yelp/detect-secrets [github.com]
> rev: v1.5.0
> hooks:
> - id: detect-secrets
> args: ['--baseline', '.secrets.baseline']
> EOF
>
> detect-secrets scan > .secrets.baseline
> pre-commit install
> pre-commit run --all-files
>
>
> Option B: gitleaks pre-commit hook Install gitleaks, then in your repo:
> bashmkdir -p .githooks
> cat > .githooks/pre-commit <<'EOF'
> #!/usr/bin/env bash
> gitleaks protect --staged --verbose
> EOF
> chmod +x .githooks/pre-commit
> git config core.hooksPath .githooks
>
>
> Also add ignores for common local secret files:
> gitignore.env
> .env.*
> *.pem
> *.key
> *.p12
> *.pfx
> credentials.json
> people.json
> secrets.yml
> secrets.yaml
>
>
> On GitHub, also enable secret scanning / push protection in repository security settings if your plan supports it.
>
> --
> You received this message because you are subscribed to the Google Groups "HomeBrew Robotics Club" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to hbrobotics+...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/hbrobotics/C447F63B-55A2-4E15-872D-8CE3A56C4505%40gmail.com [groups.google.com].

Reply all
Reply to author
Forward
0 new messages