GitHub archives every public commit, including those removed by force-push, as zero-commit PushEvents accessible via GH Archive.
The author scanned all GitHub force-push events since 2020 and uncovered leaked secrets that earned approximately $25k in bug bounties.
An open-source Force Push Scanner tool was released to automate searching GH Archive for Oops Commits and scanning them for secrets using TruffleHog.
The method combines the GitHub Event API, GH Archive data, and TruffleHog to efficiently identify and retrieve deleted commits.
Thousands of active secrets were discovered, including high-impact GitHub Personal Access Tokens and AWS credentials that must be revoked immediately.
A notable case study revealed an admin-level PAT for all Istio repositories, which posed a massive supply-chain compromise risk but was promptly revoked.
Key takeaway: deleting a commit on GitHub does not remove its history; treat any committed secret as compromised and rotate it immediately.
Get notified when new stories are published for "🇺🇸 Hacker News English"