I wouldn’t recommend this. What if GitHub’s token scanning service went down. Ideally GitHub should expose an universal token revocation endpoint. Alternatively do this in a private repo and enable token revocation (if it exists)

▲

jychang 6 hours ago | parent | next [-]

You're revoking the attacker's key (that they're using to upload the docs to their own account), this is probably the best option available.

Obviously you have better methods to revoke your own keys.

▲

securesaml 5 hours ago | parent [-]

it is less of a problem for revoking attacker's keys (but maybe it has access to victim's contents?).

agreed it shouldn't be used to revoke non-malicious/your own keys

▲

nebezb 3 hours ago | parent [-]

The poster you originally replied to is suggesting this for revoking the attackers keys. Not for revocation of their own keys…

▲

securesaml 3 hours ago | parent [-]

there's still some risk of publishing an attacker's key. For example, what if the attacker's key had access to sensitive user data?

	▲	avarun an hour ago \| parent [-]
		You are AI. Stop commenting.

▲

eru an hour ago | parent | prev [-]

> What if GitHub’s token scanning service went down.

If it's a secret gist, you only exposed the attacker's key to github, but not to the wider public?