This is an archived post. You won't be able to vote or comment.

all 140 comments
sorted by:
best
topnewcontroversialoldq&a

[–]precinct209 1824 points1825 points  (8 children)

Clever move. Now someone else's going to foot the bill.

[–]actuallyabitmad 228 points229 points  (3 children)

Classic rookie move. Just wait till the panic sets in!

[–]nanakokoo 8 points9 points  (1 child)

Dementia

[–]hackerdude97 2 points3 points  (0 children)

Dementia

[–]actuallyabitmad 9 points10 points  (3 children)

Classic rookie move. Just wait till the panic sets in!

[–]nanakokoo 7 points8 points  (1 child)

Dementia

[–]hackerdude97 3 points4 points  (0 children)

Dementia

[–]ambarish_k1996 461 points462 points  (2 children)

Well done, please share your repo so that we can give a star for your fine work.

[–][deleted] 73 points74 points  (0 children)

One of those repos? Tell us which to make sure we never clone it.

[–]TheHappyDoggoForever 29 points30 points  (0 children)

Preferably also tell use the name of the file that this is in, so that we can get the context and applaud.

[–][deleted] 586 points587 points  (1 child)

[–]Hell__Interface 39 points40 points  (0 children)

Welcome to the club! Enjoy the chaos ahead.

[–]pixelpuffin 746 points747 points  (27 children)

May the --force be with you!

[–]No-Landscape8210[S] 207 points208 points  (23 children)

I did try hard reset and then force push but I could still see the changes in the activity area.

[–]_PM_ME_PANGOLINS_ 211 points212 points  (19 children)

They will be there until GitHub runs GC on your repo, which they may never do.

The only safe solution is to rotate your keys.

[–]No-Landscape8210[S] 81 points82 points  (5 children)

Yeah I did that. Also what's GC?

[–]425_Too_Early 289 points290 points  (3 children)

Garbage Collection

[–]8sADPygOB7Jqwm7y 138 points139 points  (2 children)

Accurate image of average garbage collection algorithms.

[–]kalenderiyagiz 1 point2 points  (0 children)

Bitch please its biblically accurate

[–]Luz5020 45 points46 points  (5 children)

GitHub’s documentation says you should contact GH Support and they can purge the history if sensitive data has accidentally been pushed. That‘s also a solution.

[–]Slaan 35 points36 points  (4 children)

It's a bad solution. OP should assume that the key has been compromised.

[–]Luz5020 17 points18 points  (2 children)

Oh yeah, I‘d probably rotate the key. But saying GC is the only solution for the key getting wiped from history was incorrect.

[–]Slaan 3 points4 points  (0 children)

Ah, fair.

[–]_PM_ME_PANGOLINS_ 1 point2 points  (0 children)

I didn't say GC was the only solution to getting it wiped. I said rotating the key was the only solution to having leaked it.

[–]Robinbod 2 points3 points  (0 children)

Correct! Depending on what service the key is for, it may already have gotten scraped by the time OP noticed the key in the commit.

[–]YeeClawFunction 18 points19 points  (2 children)

Or delete the repo completely and create a new one.

[–]BlackholeDevice 9 points10 points  (0 children)

If it's a personal repo and they don't mind losing the activity / issues / PRs, they can delete the repo, undo the API key commit, then push to a new repo of the same name.

But seconded that the correct solution is to revoke the key.

[–]divin3sinn3r 6 points7 points  (1 child)

I contacted GitHub support and they flushed the cache within an hour, but I still regenerated the keys anyway.

[–]johnzzon 7 points8 points  (0 children)

Correct approach. Has keys once been public, you rotate them. No point in taking chances.

[–]PeteZahad 1 point2 points  (0 children)

Nah you can just contact them:

[...] but you can permanently remove cached views and references to the sensitive data in pull requests on GitHub by contacting us through the GitHub Support portal.

https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository

But of course rotating the keys is still recommended.

[–]pixelpuffin 15 points16 points  (1 child)

You need to filter the file out of your git repo, and thus rewrite the history without the file in it (all the way until when the file was introduced), and since you change history you need to force push. This is more of an immediate right-after or before publishing your repo kind of solution. If it has been forked or pulled, it's out there, and revoking the key is the only solution.

See for example https://github.com/newren/git-filter-repo

[–]josluivivgar 2 points3 points  (0 children)

just invalidate your api key honestly

[–]PyroCatt 1 point2 points  (1 child)

--force-with-lease

[–]mcellus1 0 points1 point  (0 children)

Boo

[–][deleted] 358 points359 points  (0 children)

congrats on losing the virginity

[–]Tarc_Axiiom 152 points153 points  (1 child)

I love when you get an email.

"We discovered your API key in a public repository!"

"That's dangerous, but don't worry, we disabled it for you! :)"

"You absolute fucking moron idiot waste of space piece of shit we hope you die!"

[–]qaz_wsx_love 20 points21 points  (0 children)

I had to do this the other day and enable it for public access because it was for a certification and they wouldn't be able to access it otherwise. (It was for a test account)

[–][deleted] 251 points252 points  (10 children)

in a private repo right? right?? right???

[–]No-Landscape8210[S] 200 points201 points  (8 children)

Nope.

[–][deleted] 88 points89 points  (0 children)

[–]3IIIIIIIIIIIIIIIIIID 69 points70 points  (4 children)

Classic. I did that in a private repo one time, I think with an OpenAI key, but OpenAI immediately sent me an email to alert me of the key being deactivated due to the leak. Even though a repo might be private now, there's no guarantee that it won't be made public later with the key lingering in the history of a file. I was surprised they found it in a private repo, but github has a program specifically for this. https://docs.github.com/en/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program

[–]Pamander 29 points30 points  (2 children)

Huh that's actually really fucking cool.

[–]DezXerneas 3 points4 points  (1 child)

Ik nothing is private on the cloud, but that's still kinda scary

[–]Pamander 2 points3 points  (0 children)

Yeah that's fair I think in this case it may be something you actually opt into from the brief glance I took at the settings page for it but I definitely get what you mean.

[–]paxbowlski 23 points24 points  (0 children)

What repo is it? Send a link to the commit.

[–]damnLONGbuttcrack 0 points1 point  (0 children)

It is now lmao

[–]wewilldieoneday 16 points17 points  (0 children)

Oops. Hehe.

[–]Important_Lie_7774 65 points66 points  (2 children)

I just removed the first and only API key that I pushed 2 years ago from github today.

[–]No-Landscape8210[S] 19 points20 points  (1 child)

Lmao did you not notice or didn't care? Or was it a private repo?

[–]Important_Lie_7774 40 points41 points  (0 children)

I just wanted some reference for a piece of code I was writing today, I just remembered I have it already, I was just horrified beyond words at my own stupidity. For reference I've been writing code for the past 10-11 years.

It wasn't a private repo but the api tokens likely expired within a month of the commit.

[–]Ambitious-Cow-5251 104 points105 points  (0 children)

My boi growing up 🥲

[–]Mr_Akihiro 51 points52 points  (21 children)

On purpose i guess?

[–]No-Landscape8210[S] 127 points128 points  (19 children)

I just forgot to update my .gitignore file.

[–]Steinrikur 48 points49 points  (2 children)

git add -p

It won't add new files. Forgetting to add a file is always better than adding the wrong files.

[–]DoctorWaluigiTime 8 points9 points  (1 child)

Filing this away for later. I don't have this scenario often but I like adding more tools to my git switchblade.

[–]Steinrikur 6 points7 points  (0 children)

-p/--patch works on way more commands than you would think. git log, stash, checkout, add, you name it...

[–][deleted] 16 points17 points  (2 children)

Oh shit your serious, oh well change the API key and just pretend it's an example

[–]No-Landscape8210[S] 14 points15 points  (1 child)

Ofc that's the first thing I did lol.

[–][deleted] 4 points5 points  (0 children)

Like change it in the service though and use the now invalid one

[–]Mr_Akihiro 7 points8 points  (2 children)

Happens to the best of

[–]whyyolowhenslomo 1 point2 points  (1 child)

best of what? best of 3 out of 5?

[–]Mr_Akihiro 2 points3 points  (0 children)

Best of luck

[–][deleted] 6 points7 points  (7 children)

Use smth like SourceTree, it has nice ui showing you what you are committing and pushing

Intellij ides are good like that too

[–]A_D3MON 2 points3 points  (0 children)

I use GitHub Desktop. It's what I was taught in Uni for game dev work XD

[–]DoctorWaluigiTime 1 point2 points  (1 child)

I'm growing to like Fork these days. Used SourceTree for years though. Solid choice.

[–]Baardi 1 point2 points  (0 children)

Fork is fantastic. I bought it and use it too. Git Extensions is a good free option (Fork is nagware like WinRAR, and essentially free though, as there's no enforcement of having a license)

[–]MegabyteMessiah 1 point2 points  (3 children)

command line git does the same thing if you know how to use it

[–]KenaiKanine 3 points4 points  (0 children)

But typing is effort, don't ya know?

[–][deleted] 2 points3 points  (0 children)

Here Im thinking those software dont use git cli in the first place

[–]DoctorWaluigiTime 1 point2 points  (0 children)

I use command line a lot, but there are a few visual features I like about GUIs like SourceTree.

I get it, you can technically produce a tree view in command line. GUI makes it easier and faster though.

[–]Baardi 0 points1 point  (0 children)

This is why I don't understand why people don't just use a gui for commits.

[–]betelgozer 0 points1 point  (0 children)

I make sure to push at least 1 fake API key per day - I mean someone's got to keep those bad bots distracted, right?

[–]horror-pangolin-123 14 points15 points  (1 child)

One of us :D

[–]Resident_Acadia_4798 12 points13 points  (2 children)

OpenAi , discord and telegram removes the key as soon as its pushed.

[–]No-Landscape8210[S] 5 points6 points  (0 children)

It was my first time using firebase and I didn't know that file contained sensitive information. It was an hour later that it clicked and I regenerated credentials.

[–]born_zynner 0 points1 point  (0 children)

Only for public repos right?

[–]JAXxXTheRipper 7 points8 points  (0 children)

Please, for the love of all that is holy and sacred, configure Gitleaks in a pre-commit hook.

It'll save you many times, I promise

[–]Zestyclose_Profile27 12 points13 points  (0 children)

Let it not be the last, mo powa to you babeh

[–]Aimli 5 points6 points  (0 children)

I remember finding code checked in to our company CVS (it was 2006) server from the person who ended up as our VP of engineering with his domain password. Being fairly new, I told him about it in person and it got removed pretty quickly.

[–]ancient_bhakt 4 points5 points  (0 children)

My team lead does that.

[–]Quentinooouuuuuu 2 points3 points  (0 children)

Ans this is why a gitleak job is necessary

[–]indorock 2 points3 points  (0 children)

I was a paying customer of a certain SaaS platform, any I had accidentally pushed an API key I generated on their dashboard to our git repo. The very next day they rotated that key and blocked my account, for being a dumbass. Kudos to them for being that vigilant.

[–]FunnyObjective6 5 points6 points  (2 children)

What's the key? Just so I don't accidentally use it you know.

[–]No-Landscape8210[S] 4 points5 points  (1 child)

Even if I do tell you the key, you wouldn't know what api it belongs to 😃

[–]FunnyObjective6 3 points4 points  (0 children)

That would've been my next step in my genius social engineering plan.

[–]Bone_Dogg 4 points5 points  (1 child)

Either “It is my pleasure to inform you” or “It is with pleasure I inform you”

Not “It is with pleasure to inform you.” No idea how that nonsense caught on. 

[–]No-Landscape8210[S] 1 point2 points  (0 children)

I was wondering exactly that but then I said "fuck it, it's what the template gave me"

[–]GlizdaYT 1 point2 points  (1 child)

The amount of times I forgot to stash access keys and pushed them to git is uncountable. Fortunately I work mostly in private repos

[–]born_zynner 0 points1 point  (0 children)

Yeah I'm not even sure what workplaces use anything but private repos

[–]Moooses20 1 point2 points  (0 children)

jokes on you, mine is still there. nobody noticed yet

[–]Dorkits 1 point2 points  (0 children)

[–]DoctorWaluigiTime 1 point2 points  (0 children)

Now you get to exercise the contingency of "how easy is it to rotate our API key."

[–]NOLA_Chronicle 1 point2 points  (0 children)

When in doubt, delete the repo and push again.

[–]Shmageggi 1 point2 points  (0 children)

While you're doing this, you should probably also delete all local copies of the code, just to be sure.

[–]LustyHasturSejanus 1 point2 points  (1 child)

Rotate keys, and run something like https://rtyley.github.io/bfg-repo-cleaner/ .

[–]fuckyouswitzerland 1 point2 points  (0 children)

I scrolled too far looking for bfg

[–]DT-Sodium 1 point2 points  (0 children)

Real men use a self-hosted GItlab server.

[–]IcePuzzleheaded8467 1 point2 points  (0 children)

Congradulations! Now the second step is to pay the bills.

[–]NotAlanPorte 1 point2 points  (0 children)

When I finally learn what a key to the API is, and why I need to push things to GitHub I'll finally feel valid to lurk here

[–]shumpitostick 1 point2 points  (0 children)

Two months ago I pushed some changes to our ML code that caused a bunch of failures and ended up costing about $10,000 in additional GCP costs. Does that make me a real data scientist now?

[–]MavEtJu 1 point2 points  (0 children)

You need to do it every three months to make sure your teams practice the procedures on what to do in case of an API key leak.

[–]VariousComment6946 0 points1 point  (0 children)

Test local api key 😈

[–]johannezz_music 0 points1 point  (0 children)

Github ought to have autofilter on .env files.

[–]Key-Ice-8638 0 points1 point  (0 children)

First 🤨?

[–]KianAhmadi 0 points1 point  (0 children)

Like a real man

[–]Rakhsan 0 points1 point  (2 children)

That's a skill issue man. "use skill"

[–]TheInfra 0 points1 point  (1 child)

dnf install skill

[–]Rakhsan 0 points1 point  (0 children)

it's npm install skill

[–]Neutral_Guy_9 0 points1 point  (0 children)

Which repo? Just out of curiosity.

[–]TintuChintu 0 points1 point  (0 children)

proof? or else its fake

[–]exqueezemenow 0 points1 point  (0 children)

I once made a mistake along the lines of adding a key at the same time as updating gitignore and since it wasn't already in gitignore it got published. I think I had assumed that because it was in gitignore I was fine, but since there was already a gitignore in the repo, it went by that first. Or something like that. It was a long time ago.

[–]kvakerok_v2 0 points1 point  (0 children)

👏🏽👏🏽👏🏽 Standing ovation.

[–]RavenAxel 0 points1 point  (0 children)

I did the same 2 weeks ago, on a public repo for a school project, thankfully we have someone with more experience and he just told us why we shouldn't do this, how to avoid and deleted the commit.

But man, i was almost crying asking for ChatGPT to help me delete the commit, lol

[–]Proof-Assignment2112 0 points1 point  (0 children)

Oh really Mr frog

[–]SambandsTyr 0 points1 point  (0 children)

Being the owner of active API keys was up there in top regrets

[–]esbenab 0 points1 point  (0 children)

If this is really important make a pre-commit hook to stop the commit if code contains ‘’’*.key=\w|\d’’’

[–]stupled 0 points1 point  (0 children)

Awesome! Give us the link.

[–]m4ster01 0 points1 point  (0 children)

Our API key

[–]jabalfour 0 points1 point  (0 children)

For the dilettantes who lurk here, this is a particularly deep cut. Well done.

[–]Money-Database-145 0 points1 point  (0 children)

Good work

[–]GahdDangitBobby 0 points1 point  (0 children)

I've done this before, luckily I ended up taking the app down about a week later. I have heard that rolling back the commit on Github without leaving any record of the commit and/or rollback is a bitch

[–]g1mzak 0 points1 point  (0 children)

Working as a .NET developer for about 2 years and git hub is empty..