Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

false positive / confusion following email #5

Closed
consideRatio opened this issue Jun 27, 2020 · 5 comments
Closed

false positive / confusion following email #5

consideRatio opened this issue Jun 27, 2020 · 5 comments
Labels
status:needinfo Further information is required

Comments

@consideRatio
Copy link

I'm not sure where to write about this situation, but decided I'll try here.

I got an email referencing this repo describing that a secret had been exposed in a repo I manage. The referenced exposed secret was actually encrypted by mozilla/sops as intended, so I assume a false positive triggered the email.

Curious about this project I read up a bit and considered debugging this, I read that an API key was required, but decided against trying to get one since it led to a request to "Act on your behalf". I'm generally concerned about why that was requested.

I hope this experience is relevant for you to be aware about.

Email API key required
image image
@Jguer
Copy link
Contributor

Jguer commented Jun 30, 2020
edited

Hey @consideRatio , thanks for the interest in the project,

I've checked and it is indeed not straightforward to sign up without integrating GitHub real-time monitoring.
At least for now Sign Up should allow email sign up and the option to not integrate any real time source (and just reach the API Key creation page).

This is something we'll be definitely improving in the future. On the part of the user authentication on the GitHub App, we only read your email (as it says on Resources on your account) but it seems as using the OAuth of the GithubApp for user creation triggers the "Act on your behalf" display. We'll still be investigating this further, but using email sign-up should bypass this for now.

@PierreTurnbull
Copy link

PierreTurnbull commented Jun 30, 2020
edited

Hi @Jguer ,

I also received an email about 30 minutes ago. It warned me about a AWS key but I did not pushed any AWS key (though I'm using one on this repo). I triple checked to be sure and the 4 commits I made today do not contain my AWS key.
Also, the "pushed date" displayed in the mail do not correspond to any existing commit on this repo.

@GG-HH
Copy link
Collaborator

GG-HH commented Jun 30, 2020

Hi @PierreTurnbull , thanks for your message.
From what I can see, it seems that your repo with the AWS credentials was made public today. We just wanted to make sure that you know that those keys are still present in your Git history (even if revoked). In fact the pushed date you see is the date were the commit was made public.

@PierreTurnbull
Copy link

I actually rendered my repository public today, so this makes sense. Thanks for the explanation.

@Jguer Jguer added the status:needinfo Further information is required label Jul 1, 2020
@Jguer Jguer closed this as completed Jul 3, 2020
@consideRatio
Copy link
Author

consideRatio commented Jul 3, 2020
edited

For future reference, i still considere the report i got a false positive. I low on capacity to help debugging it, but the repo it reacted on is public still without action taken since i got the report.

It renamed to neurohackademy/nh2020-jupyterhub though.

@consideRatio consideRatio mentioned this issue Jul 3, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status:needinfo Further information is required
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@consideRatio @Jguer @PierreTurnbull @GG-HH