Secrets in the code
Programming often involves keeping a bunch of secrets around. You’ve got account passwords, OAuth tokens, SSL and SSH private keys. The best way to keep a secret is, well, to…
Programming often involves keeping a bunch of secrets around. You’ve got account passwords,
OAuth tokens, SSL and SSH private keys. The best way to keep a secret is, well, to keep it secret.
Sometimes in a forgetful moment, however, those secrets get shared with the whole world.
Once a secret is out, it’s out. There are no partially compromised secrets. If you’ve pushed
sensitive information to a public repository, there’s a good chance that it’s been indexed by
Google and can be searched. And with GitHub’s new Search feature, it’s now more easily searchable
on our site.
Our help page on removing sensitive data
reminds us that once the commit has been pushed to a public repository, you should consider the
data to be compromised. If you think you may have accidentally shared private information in a repository,
we urge you to change that information (password, API key, SSH key, etc.) immediately and
purge that secret data from your repositories.
I also want to clarify that our code search results being unavailable is unrelated to this issue. Our operations team has been working on repairing and tuning the code search cluster.
We will continue to update our status site with updates on our progress. We will also be publishing a detailed post-mortem on the code search availability issues next week.
Written by
Related posts
GitHub availability report: March 2026
In March, we experienced four incidents that resulted in degraded performance across GitHub services.
GitHub Universe is back: We want you to take the stage
Get inspired by five of the most memorable, magical, and quirky Universe sessions to date.
What’s coming to our GitHub Actions 2026 security roadmap
A look at GitHub Actions’ 2026 roadmap, outlining how secure defaults, policy controls, and CI/CD observability harden the software supply chain end to end.