Watch GitHub issues for secrets

eth0izzle / shhgit

Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories.

MIT License

3.83k stars 481 forks source link

Watch GitHub issues for secrets #61

Closed eth0izzle closed 4 years ago

eth0izzle commented 4 years ago

I've found many secrets in GitHub issue comments, i.e. people copy pasting their code asking for help without redacting the secrets/keys - you can even view comment history if they were later removed.

We can listen to the IssueCommentEvent to get a stream of real time comments (https://docs.github.com/en/developers/webhooks-and-events/github-event-types#issuecommentevent) and process the comment key within the payload as if it were code (we would need to skip file path + extension checks).

nil0x42 commented 4 years ago

i agree, i've also found many leaks on user posted issues

eth0izzle commented 4 years ago

Fixed in the latest commit!