Original post date: July 29, 2024
Last updated: July 29, 2024
A typical workflow on GitHub is to fork a repo, commit and push some data (maybe some API secrets), and then remove the fork. Secrets are removed. Are your commits gone? Not really.
This issue affects all types of developers, as every project likely has at least one dependency hosted on GitHub.
Truffle Security has recently published a blog post about a concerning feature of GitHub: in many cases, commits from deleted forks are still available if you know the commit hash. The same from certain private repos that have been made public. This is a potential risk that all developers should be aware of.
The “feature” is an architecture decision and is there on purpose.
Access to deleted data does not work in all situations: if a repo was never made public, it seems to not be accessible.
Based on this information, best practices for using public forges:
- Do not commit secrets to public forges, even to private forks. There might be an issue like the above, or someone could accidentally make your fork public.
- If you need to commit secrets, encrypt your repository first… and keep the (private) key safe.
- Use secret scanning – forges offer that feature, so use it to detect secrets pushed by an error
- If you have highly confidential changes (for example, a fix for a severe vulnerability under an embargo), consider using self-hosted infrastructure until you can publicize that information.
Comments
[…] and my writeup https://ygreky.com/2024/07/deleted-your-fork-is-it-gone-not-really/ (short version: if you have ever committed any secrets to a GitHub repo, even private, change them […]