| ▲ | oefrha a day ago | |||||||
1. Not all secrets can be rotated. E.g. I can't just "rotate" my home address, which I prefer to be private. 2. Even for rotatable secrets, "I don't think there is any potential further damage" rests on the assumption that the secret is 100% invalidated everywhere. What if there are obscure and/or neglected systems, possibly outside of your control, that still accept that secret? No system is bug-free. If I can take steps to minimize access to an invalidated secret, I will. | ||||||||
| ▲ | jofzar a day ago | parent | next [-] | |||||||
> 1. Not all secrets can be rotated. E.g. I can't just "rotate" my home address, which I prefer to be private. Reporter can sell their current house and move to another home as a workaround Closing ticket as workaround provided. | ||||||||
| ||||||||
| ▲ | matsemann a day ago | parent | prev | next [-] | |||||||
Also avoids false positives in the future from automated scanners, bounty hunters etc. if you clean up now. | ||||||||
| ▲ | whyever 15 hours ago | parent | prev [-] | |||||||
Ok, so how would such a secret end up in a commit? E.g., I don't see why I would have my home address anywhere close to a code repository. Maybe if I used the wrong "secret" email address when authoring the commit? If it's not possible to invalidate your compromised software secrets, I would argue that you have bigger and more urgent problems to fix. But fair enough: Deleting them from GitHub might reduce the impact in such cases. | ||||||||
| ||||||||