GitHub Archive retains all public commits, including those removed by force-push, and lists them as zero-commit PushEvents.
By scanning every force-push event in GH Archive since 2020, the researcher uncovered thousands of leaked secrets and earned about $25k in bug bounties.
Truffle Security and Sharon Brizinov open-sourced the Force Push Scanner tool to automate scanning of an organization’s deleted commits for hidden secrets.
Deleted commits can be accessed via the GitHub Event API, GH Archive data, Git commands, the GitHub REST API, or direct web URLs without needing the full commit hash.
A case study revealed a leaked GitHub Personal Access Token with admin access to all Istio repositories, highlighting the risk of supply-chain compromises.
Once a secret is committed to GitHub it should be considered compromised and revoked immediately, as deleting a commit does not erase stored data.
Get notified when new stories are published for "General AI News"