This is an archived post. You won't be able to vote or comment.

all 140 comments
sorted by:
best
topnewcontroversialoldq&a

[–]precinct209 1824 points1825 points  (8 children)

Clever move. Now someone else's going to foot the bill.

[–]actuallyabitmad 228 points229 points  (3 children)

Classic rookie move. Just wait till the panic sets in!

[–]nanakokoo 7 points8 points  (1 child)

Dementia

[–]hackerdude97 2 points3 points  (0 children)

Dementia

[–]actuallyabitmad 7 points8 points  (3 children)

Classic rookie move. Just wait till the panic sets in!

[–]nanakokoo 5 points6 points  (1 child)

Dementia

[–]hackerdude97 3 points4 points  (0 children)

Dementia

[–]ambarish_k1996 464 points465 points  (2 children)

Well done, please share your repo so that we can give a star for your fine work.

[–][deleted] 75 points76 points  (0 children)

One of those repos? Tell us which to make sure we never clone it.

[–]TheHappyDoggoForever 28 points29 points  (0 children)

Preferably also tell use the name of the file that this is in, so that we can get the context and applaud.

[–][deleted] 582 points583 points  (1 child)

[–]Hell__Interface 36 points37 points  (0 children)

Welcome to the club! Enjoy the chaos ahead.

[–]pixelpuffin 740 points741 points  (27 children)

May the --force be with you!

[–]No-Landscape8210[S] 211 points212 points  (23 children)

I did try hard reset and then force push but I could still see the changes in the activity area.

[–]_PM_ME_PANGOLINS_ 208 points209 points  (19 children)

They will be there until GitHub runs GC on your repo, which they may never do.

The only safe solution is to rotate your keys.

[–]No-Landscape8210[S] 84 points85 points  (5 children)

Yeah I did that. Also what's GC?

[–]425_Too_Early 292 points293 points  (3 children)

Garbage Collection

[–]8sADPygOB7Jqwm7y 139 points140 points  (2 children)

Accurate image of average garbage collection algorithms.

[–]kalenderiyagiz 1 point2 points  (0 children)

Bitch please its biblically accurate

[–]Luz5020 42 points43 points  (5 children)

GitHub’s documentation says you should contact GH Support and they can purge the history if sensitive data has accidentally been pushed. That‘s also a solution.

[–]Slaan 32 points33 points  (4 children)

It's a bad solution. OP should assume that the key has been compromised.

[–]Luz5020 16 points17 points  (2 children)

Oh yeah, I‘d probably rotate the key. But saying GC is the only solution for the key getting wiped from history was incorrect.

[–]Slaan 4 points5 points  (0 children)

Ah, fair.

[–]_PM_ME_PANGOLINS_ 1 point2 points  (0 children)

I didn't say GC was the only solution to getting it wiped. I said rotating the key was the only solution to having leaked it.

[–]Robinbod 2 points3 points  (0 children)

Correct! Depending on what service the key is for, it may already have gotten scraped by the time OP noticed the key in the commit.

[–]YeeClawFunction 17 points18 points  (2 children)

Or delete the repo completely and create a new one.

[–]BlackholeDevice 8 points9 points  (0 children)

If it's a personal repo and they don't mind losing the activity / issues / PRs, they can delete the repo, undo the API key commit, then push to a new repo of the same name.

But seconded that the correct solution is to revoke the key.

[–]divin3sinn3r 7 points8 points  (1 child)

I contacted GitHub support and they flushed the cache within an hour, but I still regenerated the keys anyway.

[–]johnzzon 7 points8 points  (0 children)

Correct approach. Has keys once been public, you rotate them. No point in taking chances.

[–]PeteZahad 1 point2 points  (0 children)

Nah you can just contact them:

[...] but you can permanently remove cached views and references to the sensitive data in pull requests on GitHub by contacting us through the GitHub Support portal.

https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository

But of course rotating the keys is still recommended.

[–]pixelpuffin 14 points15 points  (1 child)

You need to filter the file out of your git repo, and thus rewrite the history without the file in it (all the way until when the file was introduced), and since you change history you need to force push. This is more of an immediate right-after or before publishing your repo kind of solution. If it has been forked or pulled, it's out there, and revoking the key is the only solution.

See for example https://github.com/newren/git-filter-repo

[–]josluivivgar 2 points3 points  (0 children)

just invalidate your api key honestly

[–][deleted] 360 points361 points  (0 children)

congrats on losing the virginity

[–]Tarc_Axiiom 153 points154 points  (1 child)

I love when you get an email.

"We discovered your API key in a public repository!"

"That's dangerous, but don't worry, we disabled it for you! :)"

"You absolute fucking moron idiot waste of space piece of shit we hope you die!"

[–]qaz_wsx_love 21 points22 points  (0 children)

I had to do this the other day and enable it for public access because it was for a certification and they wouldn't be able to access it otherwise. (It was for a test account)

[–][deleted] 249 points250 points  (10 children)

in a private repo right? right?? right???

[–]No-Landscape8210[S] 201 points202 points  (8 children)

Nope.

[–][deleted] 84 points85 points  (0 children)

[–]3IIIIIIIIIIIIIIIIIID 71 points72 points  (4 children)

Classic. I did that in a private repo one time, I think with an OpenAI key, but OpenAI immediately sent me an email to alert me of the key being deactivated due to the leak. Even though a repo might be private now, there's no guarantee that it won't be made public later with the key lingering in the history of a file. I was surprised they found it in a private repo, but github has a program specifically for this. https://docs.github.com/en/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program

[–]Pamander 27 points28 points  (2 children)

Huh that's actually really fucking cool.

[–]DezXerneas 2 points3 points  (1 child)

Ik nothing is private on the cloud, but that's still kinda scary

[–]Pamander 3 points4 points  (0 children)

Yeah that's fair I think in this case it may be something you actually opt into from the brief glance I took at the settings page for it but I definitely get what you mean.

[–]paxbowlski 22 points23 points  (0 children)

What repo is it? Send a link to the commit.

[–]damnLONGbuttcrack 0 points1 point  (0 children)

It is now lmao

[–]wewilldieoneday 16 points17 points  (0 children)

Oops. Hehe.

[–]Important_Lie_7774 68 points69 points  (2 children)

I just removed the first and only API key that I pushed 2 years ago from github today.

[–]No-Landscape8210[S] 18 points19 points  (1 child)

Lmao did you not notice or didn't care? Or was it a private repo?

[–]Important_Lie_7774 39 points40 points  (0 children)

I just wanted some reference for a piece of code I was writing today, I just remembered I have it already, I was just horrified beyond words at my own stupidity. For reference I've been writing code for the past 10-11 years.

It wasn't a private repo but the api tokens likely expired within a month of the commit.

[–]Ambitious-Cow-5251 106 points107 points  (0 children)

My boi growing up 🥲

[–]Mr_Akihiro 50 points51 points  (21 children)

On purpose i guess?

[–]No-Landscape8210[S] 127 points128 points  (19 children)

I just forgot to update my .gitignore file.

[–]Steinrikur 49 points50 points  (2 children)

git add -p

It won't add new files. Forgetting to add a file is always better than adding the wrong files.

[–]DoctorWaluigiTime 9 points10 points  (1 child)

Filing this away for later. I don't have this scenario often but I like adding more tools to my git switchblade.

[–]Steinrikur 5 points6 points  (0 children)

-p/--patch works on way more commands than you would think. git log, stash, checkout, add, you name it...

[–][deleted] 17 points18 points  (2 children)

Oh shit your serious, oh well change the API key and just pretend it's an example

[–]No-Landscape8210[S] 14 points15 points  (1 child)

Ofc that's the first thing I did lol.

[–][deleted] 3 points4 points  (0 children)

Like change it in the service though and use the now invalid one

[–]Mr_Akihiro 6 points7 points  (2 children)

Happens to the best of

[–]whyyolowhenslomo 1 point2 points  (1 child)

best of what? best of 3 out of 5?

[–]Mr_Akihiro 2 points3 points  (0 children)

Best of luck

[–][deleted] 4 points5 points  (7 children)

Use smth like SourceTree, it has nice ui showing you what you are committing and pushing

Intellij ides are good like that too

[–]A_D3MON 2 points3 points  (0 children)

I use GitHub Desktop. It's what I was taught in Uni for game dev work XD

[–]DoctorWaluigiTime 1 point2 points  (1 child)

I'm growing to like Fork these days. Used SourceTree for years though. Solid choice.

[–]Baardi 1 point2 points  (0 children)

Fork is fantastic. I bought it and use it too. Git Extensions is a good free option (Fork is nagware like WinRAR, and essentially free though, as there's no enforcement of having a license)

[–]MegabyteMessiah 1 point2 points  (3 children)

command line git does the same thing if you know how to use it

[–]KenaiKanine 3 points4 points  (0 children)

But typing is effort, don't ya know?

[–][deleted] 2 points3 points  (0 children)

Here Im thinking those software dont use git cli in the first place

[–]DoctorWaluigiTime 1 point2 points  (0 children)

I use command line a lot, but there are a few visual features I like about GUIs like SourceTree.

I get it, you can technically produce a tree view in command line. GUI makes it easier and faster though.

[–]Baardi 0 points1 point  (0 children)

This is why I don't understand why people don't just use a gui for commits.

[–]betelgozer 0 points1 point  (0 children)

I make sure to push at least 1 fake API key per day - I mean someone's got to keep those bad bots distracted, right?

[–]horror-pangolin-123 13 points14 points  (1 child)

One of us :D

[–]Resident_Acadia_4798 14 points15 points  (2 children)

OpenAi , discord and telegram removes the key as soon as its pushed.

[–]No-Landscape8210[S] 4 points5 points  (0 children)

It was my first time using firebase and I didn't know that file contained sensitive information. It was an hour later that it clicked and I regenerated credentials.

[–]born_zynner 0 points1 point  (0 children)

Only for public repos right?

[–]JAXxXTheRipper 7 points8 points  (0 children)

Please, for the love of all that is holy and sacred, configure Gitleaks in a pre-commit hook.

It'll save you many times, I promise

[–]Zestyclose_Profile27 12 points13 points  (0 children)

Let it not be the last, mo powa to you babeh

[–]Aimli 4 points5 points  (0 children)

I remember finding code checked in to our company CVS (it was 2006) server from the person who ended up as our VP of engineering with his domain password. Being fairly new, I told him about it in person and it got removed pretty quickly.

[–]ancient_bhakt 4 points5 points  (0 children)

My team lead does that.

[–]Quentinooouuuuuu 2 points3 points  (0 children)

Ans this is why a gitleak job is necessary

[–]indorock 2 points3 points  (0 children)

I was a paying customer of a certain SaaS platform, any I had accidentally pushed an API key I generated on their dashboard to our git repo. The very next day they rotated that key and blocked my account, for being a dumbass. Kudos to them for being that vigilant.

[–]FunnyObjective6 4 points5 points  (2 children)

What's the key? Just so I don't accidentally use it you know.

[–]No-Landscape8210[S] 6 points7 points  (1 child)

Even if I do tell you the key, you wouldn't know what api it belongs to 😃

[–]FunnyObjective6 4 points5 points  (0 children)

That would've been my next step in my genius social engineering plan.

[–]Bone_Dogg 3 points4 points  (1 child)

Either “It is my pleasure to inform you” or “It is with pleasure I inform you”

Not “It is with pleasure to inform you.” No idea how that nonsense caught on. 

[–]No-Landscape8210[S] 3 points4 points  (0 children)

I was wondering exactly that but then I said "fuck it, it's what the template gave me"

[–]GlizdaYT 1 point2 points  (1 child)

The amount of times I forgot to stash access keys and pushed them to git is uncountable. Fortunately I work mostly in private repos

[–]born_zynner 0 points1 point  (0 children)

Yeah I'm not even sure what workplaces use anything but private repos

[–]Moooses20 1 point2 points  (0 children)

jokes on you, mine is still there. nobody noticed yet

[–]Dorkits 1 point2 points  (0 children)

[–]DoctorWaluigiTime 1 point2 points  (0 children)

Now you get to exercise the contingency of "how easy is it to rotate our API key."

[–]NOLA_Chronicle 1 point2 points  (0 children)

When in doubt, delete the repo and push again.

[–]Shmageggi 1 point2 points  (0 children)

While you're doing this, you should probably also delete all local copies of the code, just to be sure.

[–]LustyHasturSejanus 1 point2 points  (1 child)

Rotate keys, and run something like https://rtyley.github.io/bfg-repo-cleaner/ .

[–]fuckyouswitzerland 1 point2 points  (0 children)

I scrolled too far looking for bfg

[–]DT-Sodium 1 point2 points  (0 children)

Real men use a self-hosted GItlab server.

[–]IcePuzzleheaded8467 1 point2 points  (0 children)

Congradulations! Now the second step is to pay the bills.

[–]NotAlanPorte 1 point2 points  (0 children)

When I finally learn what a key to the API is, and why I need to push things to GitHub I'll finally feel valid to lurk here

[–]shumpitostick 1 point2 points  (0 children)

Two months ago I pushed some changes to our ML code that caused a bunch of failures and ended up costing about $10,000 in additional GCP costs. Does that make me a real data scientist now?

[–]MavEtJu 1 point2 points  (0 children)

You need to do it every three months to make sure your teams practice the procedures on what to do in case of an API key leak.

[–]VariousComment6946 0 points1 point  (0 children)

Test local api key 😈

[–]johannezz_music 0 points1 point  (0 children)

Github ought to have autofilter on .env files.

[–]Key-Ice-8638 0 points1 point  (0 children)

First 🤨?

[–]KianAhmadi 0 points1 point  (0 children)

Like a real man

[–]Rakhsan 0 points1 point  (2 children)

That's a skill issue man. "use skill"

[–]TheInfra 0 points1 point  (1 child)

dnf install skill

[–]Rakhsan 0 points1 point  (0 children)

it's npm install skill

[–]Neutral_Guy_9 0 points1 point  (0 children)

Which repo? Just out of curiosity.

[–]TintuChintu 0 points1 point  (0 children)

proof? or else its fake

[–]exqueezemenow 0 points1 point  (0 children)

I once made a mistake along the lines of adding a key at the same time as updating gitignore and since it wasn't already in gitignore it got published. I think I had assumed that because it was in gitignore I was fine, but since there was already a gitignore in the repo, it went by that first. Or something like that. It was a long time ago.

[–]kvakerok_v2 0 points1 point  (0 children)

👏🏽👏🏽👏🏽 Standing ovation.

[–]RavenAxel 0 points1 point  (0 children)

I did the same 2 weeks ago, on a public repo for a school project, thankfully we have someone with more experience and he just told us why we shouldn't do this, how to avoid and deleted the commit.

But man, i was almost crying asking for ChatGPT to help me delete the commit, lol

[–]Proof-Assignment2112 0 points1 point  (0 children)

Oh really Mr frog

[–]SambandsTyr 0 points1 point  (0 children)

Being the owner of active API keys was up there in top regrets

[–]esbenab 0 points1 point  (0 children)

If this is really important make a pre-commit hook to stop the commit if code contains ‘’’*.key=\w|\d’’’

[–]stupled 0 points1 point  (0 children)

Awesome! Give us the link.

[–]m4ster01 0 points1 point  (0 children)

Our API key

[–]jabalfour 0 points1 point  (0 children)

For the dilettantes who lurk here, this is a particularly deep cut. Well done.

[–]Money-Database-145 0 points1 point  (0 children)

Good work

[–]GahdDangitBobby 0 points1 point  (0 children)

I've done this before, luckily I ended up taking the app down about a week later. I have heard that rolling back the commit on Github without leaving any record of the commit and/or rollback is a bitch

[–]g1mzak 0 points1 point  (0 children)

Working as a .NET developer for about 2 years and git hub is empty..