Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What absolute incompetence. Not just on this dev, but any org with API keys ought to be scanning for leaked keys constantly. Failure of one and failure of many.

Of course Elon hires only based on 'merit'...



How would you scan for your api keys on repos outside of your organization? I assumed this was a dev’s personal repo.


https://docs.github.com/en/code-security/secret-scanning/sec... is one option


Neat. Thanks!


Well 1 option is the service from TFA.

https://www.gitguardian.com/monitor-internal-repositories-fo...


This was on public GitHub, which anyone can scan for anything. Their API is a firehose you can consume: https://api.github.com/events

GitGuardian's public report on secrets sprawl talks about their methodology of scanning any commit https://www.gitguardian.com/state-of-secrets-sprawl-report-2...


The company I work for does this. I recently pushed an update to a personal repo that just contained a keyword match (the push included a dictionary.txt file which happened to include the company name) which flagged a review.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: