![]() ![]() They are freely available to everyone on the internet and it is very easy to monitor public repositories, GitHub has a public API to fetch all public commits for example. Why storing secrets in public repositories is bad will be obvious. Each time it’s duplicated on git, the entire history of that project is also duplicated. ![]() Projects can be cloned onto multiple machines, forked into new projects, distributed to customers, made public so on and so forth. Git is designed in a way that allows, even promotes, code to be freely distributed. Code is copied and transferred everywhere. Source code, we have to remember, is very leaky. In addition, developers can be in large distributed teams with access to a plethora of secrets while being faced with reduced release cycles and an ever growing number of technologies to master. Secrets may be hardcoded into source code, stored as text file, shared over Slack or buried inside a debug application log. In addition to intentionally storing secrets in git, when secrets are not managed properly, it is very easy to lose track of them. But storing secrets like this is playing with fire, it only takes a very small incident to get burnt. Git acts as the central point of truth for a project, so it makes sense, at least from a convenience point of view, that secrets are stored inside a private git repository to make distribution and access easy. Last article we talked about how it is common to choose the path of least resistance when it comes to accessing and distributing secrets. But the fact is, secrets inside git repositories is the current state of the world. Why secrets end up in gitĪ seasoned developer may be scratching their heads wondering why anyone may put secrets inside a git repository. This is the second in a series of articles about secrets within source code and will look specifically at why secrets within git repositories is such a plague, why it is so dangerous and how to prevent it. ![]() But why then are secrets in git repositories so common? This includes any secrets that may be included within. Once source code enters a git repository, it can organically spread into multiple locations. Secrets in version control systems (VCS) like git is the current state of the world despite widely being recognized as a bad practice. ![]()
0 Comments
Leave a Reply. |