If only there were a tool that could search if a word was in a dictionary...
A researcher has published a tool to help administrators delve into GitHub commits to find high-entropy secret keys. The tool, dubbed TruffleHog, is able to locate high-entropy keys with Github potentially saving admins from exposing their networks and sensitive data. TruffleHog developer Dylan Ayrey, who warned of the …
I'd be much more worried about code that hard-codes an API key or password as a variable rather than, say, reads it from an external file (which is outside the commit zone). Accidental commits of files, I could probably "forgive", especially if there are in a separate .h file or similar that contains just the things that should never be committed.
But finding them just stray in your code?
There's a reason, for example, that /etc/ssl is heavily locked down, /etc/ssl/private is even heavier, and if you want to use those keys you include them from your config, not just copy and paste them into your website path.
This post has been deleted by its author
Biting the hand that feeds IT © 1998–2021