Enable javascript in your browser for better experience. Need to know to enable it? Go here.
Menu
Close
Tools Back
Last updated : Apr 05, 2016
NOT ON THE CURRENT EDITION
This blip is not on the current edition of the Radar. If it was on one of the last few editions, it is likely that it is still relevant. If the blip is older, it might no longer be relevant and our assessment might be different today. Unfortunately, we simply don't have the bandwidth to continuously review blips from previous editions of the Radar. Understand more
Apr 2016
Assess ?

Attackers continue to use automated software to crawl public GitHub repositories to find AWS credentials and spin up EC2 instances to mine Bitcoins or for other nefarious purposes. Although adoption of tools like git-crypt and Blackbox to safely store secrets such as passwords and access tokens in code repositories is increasing, it is still all too common that secrets are stored unprotected. It is also not uncommon to see project secrets accidentally checked in to developers' personal repositories. Gitrob can help minimize the damage of exposing secrets. It scans an organization's GitHub repositories, flagging all files that might contain sensitive information that shouldn't have been pushed to the repository. The current release of the tool has some limitations: It can only be used to scan public GitHub organizations and their members, it doesn't inspect the contents of files, it doesn't review the entire commit history, and it fully scans all repositories each time it is run. Despite these limitations, it can be a helpful reactive tool to help alert teams before it is too late. It should be considered a complementary approach to a proactive tool such as Talisman.

Nov 2015
Trial ?

Safely storing secrets such as passwords and access tokens in code repositories is now supported by a growing number of tools - for example, git-crypt and Blackbox, which we mentioned in the previous Technology Radar. Despite the availability of these tools, it is still, unfortunately, all too common that secrets are stored unprotected. In fact, it is so common that automated exploit software is used to find AWS credentials and spin up EC2 instances to mine Bitcoins, leaving the attacker with the Bitcoins and the account owner with the bill. Gitrob takes a similar approach and scans an organization’s GitHub repositories, flagging all files that might contain sensitive information that shouldn’t have been pushed to the repository. This is obviously a reactive approach. Gitrob can only alert teams when it is (almost) too late. For this reason, Gitrob can only ever be a complementary tool, to minimize damage.

Published : Nov 10, 2015

Download the PDF

 

 

English | Español | Português | 中文

Sign up for the Technology Radar newsletter

 

Subscribe now

Visit our archive to read previous volumes

Go to archive

Thoughtworks acknowledges the Traditional Owners of the land where we work and live, and their continued connection to Country. We pay our respects to Elders past and present. Aboriginal and Torres Strait Islander peoples were the world's first scientists, technologists, engineers and mathematicians. We celebrate the stories, culture and traditions of Aboriginal and Torres Strait Islander Elders of all communities who also work and live on this land. 

 

As a company, we invite Thoughtworkers to be actively engaged in advancing reconciliation and strengthen their solidarity with the First Peoples of Australia. Since 2019, we have been working with Reconciliation Australia to formalize our commitment and take meaningful action to advance reconciliation. We invite you to review our Reconciliation Action Plan.