search

GitGuardian / ggshield

Find and fix 400+ types of hardcoded secrets and 70+ types of infrastructure-as-code misconfigurations.
https://gitguardian.com
MIT License
1.64k stars 146 forks source link

false positive / confusion following email #5

Closed consideRatio closed 4 years ago

consideRatio commented 4 years ago

I'm not sure where to write about this situation, but decided I'll try here.

I got an email referencing this repo describing that a secret had been exposed in a repo I manage. The referenced exposed secret was actually encrypted by mozilla/sops as intended, so I assume a false positive triggered the email.

Curious about this project I read up a bit and considered debugging this, I read that an API key was required, but decided against trying to get one since it led to a request to "Act on your behalf". I'm generally concerned about why that was requested.

I hope this experience is relevant for you to be aware about.

Email API key required
image image
Jguer commented 4 years ago

Hey @consideRatio , thanks for the interest in the project,

I've checked and it is indeed not straightforward to sign up without integrating GitHub real-time monitoring. At least for now Sign Up should allow email sign up and the option to not integrate any real time source (and just reach the API Key creation page).

This is something we'll be definitely improving in the future. On the part of the user authentication on the GitHub App, we only read your email (as it says on Resources on your account) but it seems as using the OAuth of the GithubApp for user creation triggers the "Act on your behalf" display. We'll still be investigating this further, but using email sign-up should bypass this for now.

PierreTurnbull commented 4 years ago

Hi @Jguer ,

I also received an email about 30 minutes ago. It warned me about a AWS key but I did not pushed any AWS key (though I'm using one on this repo). I triple checked to be sure and the 4 commits I made today do not contain my AWS key. Also, the "pushed date" displayed in the mail do not correspond to any existing commit on this repo.

GG-HH commented 4 years ago

Hi @PierreTurnbull , thanks for your message. From what I can see, it seems that your repo with the AWS credentials was made public today. We just wanted to make sure that you know that those keys are still present in your Git history (even if revoked). In fact the pushed date you see is the date were the commit was made public.

PierreTurnbull commented 4 years ago

I actually rendered my repository public today, so this makes sense. Thanks for the explanation.

consideRatio commented 4 years ago

For future reference, i still considere the report i got a false positive. I low on capacity to help debugging it, but the repo it reacted on is public still without action taken since i got the report.

It renamed to neurohackademy/nh2020-jupyterhub though.