1

Recently, a developer accidentally made a private repository public, which contained secret keys. Although a third-party application promptly flagged and rotated the exposed credentials, the repository remained public for some time, raising concerns about potential unauthorized access and misuse of the sensitive code.

Developers require access to perform their duties, yet we need to ensure such critical mistakes are minimized.

What are the best practices and strategies to prevent such incidents in the future?

How can we better monitor and control repository visibility settings to safeguard sensitive contents?

Improve this question
0

1 Answer 1

Reset to default
1

Keys or other credentials do not belong into any repository, even if it's private. They have to be kept in specialized key stores.

As to protecting the source code, developers shouldn't be able to change the visibility of a repository at all. You need proper authorization where only developers can access the repository, and where developers can only do exactly what they should. If this isn't possible with GitHub, then consider using your own git repository.

Additionally, there's obviously a communication and/or education problem which needs to be addressed. As far as I know, the option for making a GitHub repository public is in a section called “Danger Zone”. If people ignore this, there's something wrong.

Improve this answer
3
  • Thanks for the advice. I agree with using key stores for managing credentials. Could you share best practices or tools for controlling repository visibility permissions? We need to ensure developers can't change visibility without proper checks. We also had a case where a developer cloned a repository to their personal, public GitHub. How can we prevent code from being externally copied? I'd appreciate tips on tightening our source code security Commented Jun 6, 2024 at 13:19
  • The visibility can only be changed by repository owners and admins, so don’t let the developers be any of those two. There’s no technical way to prevent somebody from publishing source code which they have access to. You need to make it very clear to the developers what they can and cannot do. If the code is owned by a company, then sharing it without explicit permission is (probably) illegal in your country. Everybody needs to understand this. You might also want to check if you’re employing (or collaborating with) the right people. The amount of carelessness you’ve described is worrying. Commented Jun 6, 2024 at 13:35
  • Thank you for your advice. As I'm relatively new to this field, l'm exploring training options to further educate our developers on security best practices. I've come across platforms like LearnUpon and Trakstar Learn but am unsure which would best suit our needs. Could you recommend any specific resources or platforms that would be particularly effective? Your insights are greatly appreciated! Commented Jun 7, 2024 at 22:02

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.