Posted by Joyce Ling
January 25, 2023
Recently, GitGuardian analyzed 2B commits and found that developers on public GitHub leak over 5,000 API keys or credentials every day. This includes numerous types of secrets, including API keys, database connection strings, private keys, certificates, and usernames and passwords. These leaks are far from harmless, with many of them leading to breaches of companies such as the recent hacks of Uber, Equifax, and Starbucks.
Using GitHub: Why or how do these breaches happen?
Public repositories on GitHub are available for anyone to access. Leaks often happen in public repositories, but they happen in private repositories, too.
Developers who are part of a private repository have associated personal accounts (which, by default, are public). It’s easy for developers to accidentally push confidential company information to their personal accounts. How easy is it? Well, according to the 2021 State of Secrets Sprawl report, 85% of leaks occur on developers’ personal repositories.
Once the secret is pushed into a personal repository, developers may not be aware they pushed a secret. When they do realize the mistake, they often remediate the situation incorrectly, allowing the attacker more time to move laterally and access sensitive information.
Why are developers pushing secrets to their GitHub repository?
Although encrypting secrets is best practice, it can be cumbersome for developers to constantly ‘wrap’ and ‘unwrap’ values securely. In order to work fast, developers often hard-code secrets directly or add it into their .gitignore file. This makes it very easy for developers to accidentally push secrets to GitHub.
And, as mentioned above, developers don’t always remediate this mistake correctly, which means secrets are exposed longer than they should.
Enforcing better secrets management in GitHub
To reduce the chances of leaking secrets, a better system has to be in place to store those secrets.
A secrets management vault is a central location where organizations can securely store passwords, tokens, and encryption keys. Although any vault with strong encryption capabilities will work, certain criteria can make these tools more “sticky” for developers to use.
There are several important criteria for a secrets management system that can protect you from secret leaks in GitHub repositories.
- Automated injection of secrets into the developer workflow for efficiency. A vault that stores secrets but doesn’t fit into the modern software development lifecycle is nearly useless. Find a vault that can inject secrets and work seamlessly with modern CI/CD tools.
- Ability to write “secrets-as-code” (e.g. Terraform) for scalability. Meet developers where they are with easily scalable secrets management using infrastructure as code software tools like Terraform.
- Out-of-the-box integrations that plug into an array of tools for ease-of-use. Use an API-first vault that does the heavy lifting for developers, so they can continue to use the tools that make their lives easier.
A good secrets management tool is not only secure enough to store mission-critical secrets, it also reduces friction for developers who use it.
Akeyless is a comprehensive secrets management platform that combines advanced encryption capabilities with usability—in short, it’s a platform designed for developers. With a rapidly growing list of built-in integrations, compatibility with Terraform, automated injection of rotated and dynamic secrets, Akeyless integrates seamlessly into the developer workflow.
DevOps SecuritySecrets are ranked as the leading cause of data breaches. Combat this by learning how to best use static, rotated, and dynamic secrets.
How Akeyless DFC™ Works—A Zero-Knowledge Approach to Key OwnershipAkeyless DFC™ allows you to retain full ownership of your data while operating in a SaaS model. Take a peek under the hood to see how DFC keeps your data secure.
Key Ownership in the Cloud: Using Zero Knowledge to Protect Your DataCustomers often wonder if their data is secure in the cloud. To answer this, let’s discuss key ownership and zero trust.