Secrets in the code

Programming often involves keeping a bunch of secrets around. You’ve got account passwords,
OAuth tokens, SSL and SSH private keys. The best way to keep a secret is, well, to keep it secret.

Sometimes in a forgetful moment, however, those secrets get shared with the whole world.

Once a secret is out, it’s out. There are no partially compromised secrets. If you’ve pushed
sensitive information to a public repository, there’s a good chance that it’s been indexed by
Google and can be searched. And with GitHub’s new Search feature, it’s now more easily searchable
on our site.

Our help page on removing sensitive data
reminds us that once the commit has been pushed to a public repository, you should consider the
data to be compromised. If you think you may have accidentally shared private information in a repository,
we urge you to change that information (password, API key, SSH key, etc.) immediately and
purge that secret data from your repositories.

I also want to clarify that our code search results being unavailable is unrelated to this issue. Our operations team has been working on repairing and tuning the code search cluster.
We will continue to update our status site with updates on our progress. We will also be publishing a detailed post-mortem on the code search availability issues next week.

Written by

Brian Doll

@briandoll