Toyota Accidently Exposed a Secret Key Publicly on GitHub for Five Years

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Secret security-tools Entropy Security Git

WorkOS
Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • ggshield

    Find and fix 360+ types of hardcoded secrets and 70+ types of infrastructure-as-code misconfigurations.

    • You can definitely use pre commit hooks for this like the one of ggshield https://github.com/GitGuardian/ggshield - remediation is far quicker when the secret does't make it to the codebase!

  • gitleaks

    Protect and discover secrets using Gitleaks 🔑

    • Good reminder to run Gitleaks[1] or Gitleaks-Action[2] on your repos

    [1] https://github.com/zricethezav/gitleaks

    [2] https://gitleaks.io/products

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

    WorkOS logo

  • tartufo

    Searches through git repositories for high entropy strings and secrets, digging deep into commit history

    • You could set up something like https://github.com/godaddy/tartufo in a pre-commit hook. Not sure if github has a way to hook into the push hooks on server side, they might though.

  • detect-secrets

    An enterprise friendly way of detecting and preventing secrets in code.

    • Yelp has a "detect-secrets" project that can detect potential secrets and can be used as a pre-commit hook: https://github.com/Yelp/detect-secrets

  • trufflehog

    Find and verify credentials

    • There are software like Trufflehog ( https://github.com/trufflesecurity/trufflehog ), that finds secrets. We are using it at organizational level, but there's always some delay from finding something and getting it reported. I've been meaning to add it both to our CI so our team can notice right away, and even to Git push hooks, to catch these cases early.

  • git-secrets

    Prevents you from committing secrets and credentials into git repositories

    • I worked for a big startup last year and was on a contract deadline for integrating a vendor framework into a React Native app.

    It was taking too long to get a new temp demo license key and GitHub search with clever filters helped me track down a demo key that was recently uploaded to a test repo.

    This is also why I use git-secrets in my repos.

    https://github.com/awslabs/git-secrets

  • aws-sdk-for-php

    Discontinued (DEPRECATED) AWS SDK for PHP - Version 1. Version 3 is the latest:

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo
NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts