Committing a secret, like an API key or service token, to version control is a painful mistake, which I've done myself and seen plenty of others do, too. Fixing it usually involves at least some degree of emotional pain - you need to announce the incident and work whatever incident process your organization might have.
You may need to ask others for assistance, either in generating a new secret or helping you rotate the compromised one if you don't have sufficient access yourself.
Depending on the size of your org, this could involve filing some tickets, starting a couple of different conversations, pulling other colleagues off what they were focusing on, etc.
It sucks - and it's worth investing in a process that can help you by preventing you from committing anything that looks like a secret in the first place.
ggshield is an amazing tool from GitGuardian
You may have heard of GitGuardian - a service that runs against public GitHub repositories, scans them for secrets (API keys, tokens, passwords, etc) which may have been accidentally committed, and then emails you an alert and some helpful tips on remediating the issue.
I was delighted to discover they also have a command line interface (CLI) that anyone can use to scan their local working directory to ensure no secrets are hardcoded or otherwise exposed.
Even more powerfully, you can integrate
ggshield with a git pre-commit hook in order to ensure that every single time you attempt to commit code from your machine, you automatically get a sanity check
ensuring you're not about to leak something sensitive.
What does it look like when ggshield saves your ass?
Here's a screenshot of a test I ran against a local repository. First, I used
openssl to generate a certificate that was just sitting in my local repository. I then ran
ggshield secret scan repo, and the tool
correctly found my secret, before I committed it and ruined everyone's day.
It's even better when combined with git hooks
Git hooks allow you to "hook" into different git lifecycle events in order to run your own code. For example, the
pre-commit hook allows you to run your own code before you create a new git commit.
This is the perfect
place to scan for secrets, and
ggshield supports this workflow out of the box. GitGuardian has great documentation for all the ways you can use
ggshield alongside git hooks, but I personally wanted to run it as a global pre-commit hook.
This means that for any and every repository I'm working with,
ggshield will scan my local git changes for secrets. This is a nice way to automate away needing to worry about letting a random token or certificate slip through when you're in
Of course it's critical to perform code reviews, and ask your team for a second set of eyes to ensure you're keeping your secrets out of version control, but having this extra layer of automated scanning works very well in concert with these other best practices.