|
|
|
|
|
|
by Kwpolska
1169 days ago
|
|
|
There’s already an entire pipeline that handles a key being compromised when it is found on GitHub. All the “tooling and complexity” you need is a simple HTML form to ask for a key and where you found it, and some server-side code to trigger the same pipeline when somebody submits the form. There are three issues with the use of GitHub here: 1. Not everybody knows that AWS will invalidate tokens committed into a public GitHub repository. 2. There is a window (67 seconds according to OP) in which the compromised token is public but working. For the “small intersection of people”, you could bring it down to 0. 3. GitHub protects GitHub keys, and apparently AWS keys, but does it protect Azure keys? Or GCP keys? |
|
|