Skip to content

Instantly share code, notes, and snippets.

@JennieOhyoung
Last active January 5, 2022 22:05
Show Gist options
  • Save JennieOhyoung/243b9fb396a805c9f613df19633a1a65 to your computer and use it in GitHub Desktop.
Save JennieOhyoung/243b9fb396a805c9f613df19633a1a65 to your computer and use it in GitHub Desktop.
Prevent private data from leaks

There are two sides to this story: one on hand, we should do everything in our power to prevent leaks from happening and on the other, we need to have a mitigation plan to ensure proper take down of all leaked data to minimize impact.

Prevention:

Mitigation:

  • Once a user has committed sensitive information, he/she can remove Sensitive data from a repository on their own. But be sure to reach out to GitHub support with the commit SHA. The exact steps we take on our end to ensure all histories along with logs, are wiped clean:
    • Delete PR in staff tools (this will also wipe out any related audit logs, history etc)
    • Confirm the commit hasn't appeared anywhere else since our last check
    • Run garbage collection
    • Invalidate git cache on repo (this is also a step that users often don't realize that needs to take place)
  • If you are certain about the ownership of the data, fill out a DMCA takdown notice form and let the GitHub Support team know. Inversely, if your repository has been taken down due to a false claim, please fill out this DMCA counter notice form and reach out to the GitHub Support team.

Other best practices:

  • Keep your passwords and devices safe, use SAML, SCIM and 2FA whenever possible.
  • Establish an internal security policy, so users know exactly what the best practices are, who to go to and/or what to do should accidents happen.
  • Pick the right tool! "Organizations that use tools to automate dependency management have 60% less security vulnerabilities than those who don’t." - IEEE/ACM International Conference on Automated Software Engineering 2017.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment