Data at risk

Sensitive Info in Git Repository

Risk Level

Hazardous (3)

Platform(s)
  • N/A

About Git Repositories

Git is open source content-tracking software used by programmers to develop, modify, and maintain software applications, typically in a multi-contributor environment.

Git stores and tracks every bit of information inside a repository. Think of the repository as a database that contains the history of all the changes, ever made, to all the files in your project. This gives users the ability to switch/revert to a previous version of a software application, at any time.

Git tracks changes via commits. Think of a commit as a snapshot of your project. Any time a user wants to add new changes to a repository, they create a new commit, using the git commit command. This allows them to bundle up one or more changes as the next snapshot of the project, and then add it to the repository.

However, sometimes, users accidentally push sensitive information into a Git repository, which can be exploited by malicious actors.

Sensitive information can include passwords, tokens, secrets, access keys, SSH keys, certificates, and hostnames, etc. Such information should never be hardcoded in source code or pushed as part of a configuration file. However, mistakes do happen.

Cloud Risk Description

Sensitive information like database passwords, API keys, encryption keys, hash salts, and secrets, etc. can mistakenly get pushed into a Git repository. If they are part of the source code of your application, cybercriminals can easily extract them and compromise your systems.

Any pushed sensitive data must be detected and removed immediately, both from the repository and the history.

How Does Orca Help?

Orca detects sensitive data at-risk across both the workload and control plane, pinpointing the exact location and providing masked samples of the data for quick remediation. It also leverages context such as the location and accessibility of the assets containing the data. This approach separates the noise from the risks that are truly critical to the business.

Orca looks for sensitive information in Git repositories and will alert on this type of issue as shown in the screenshot above.

Real-Life Incidents

There have been numerous attacks in which the exposure of sensitive data in git repositories led to a breach. Here are a few examples:

Orca

Orca Security, the cloud security innovation leader, provides cloud-wide, workload-deep security and compliance for AWS, Azure, and GCP - without the gaps in coverage, alert fatigue, and operational costs of agents.