The Risks of Exposing Passwords on GitHub: A Guide to Secure Coding Practices
Environment Variables: Store secrets in environment variables on your local machine or server rather than in the code itself. Use Secret Scanners:
Junior developers are often handed a “getting started” document that includes a password.txt file attached to an email or Slack message. To save time, they drop the file directly into the cloned repository. When they run git add ., the file comes along for the ride. password.txt github
Here are advanced search queries to locate exposed secrets (use only on your own repos or with permission):
It’s a classic developer mistake. You’re working late, you need to authenticate a script, and for "just a second," you save your credentials in a file named password.txt. You finish your code, run git add ., git commit, and git push. The Risks of Exposing Passwords on GitHub: A
A university research team stored database passwords in password.txt for a COVID-19 data portal. A security researcher found the file via GitHub search, notified the team, and found that the same credentials also unlocked an internal server with 10,000 student Social Security numbers. The university faced a GDPR fine of €200,000.
Many developers think, "My repository is small. No one will find my password.txt." This is wrong. Note: For forks or mirrors you don’t control,
If you use GitHub Actions, never write secrets to a file. Use encrypted secrets: