How to Scan Force Pushed Commits for Secrets
The new Force Push Scanner tool scans for secrets in dangling commits on GitHub that remain exposed after certain force push operations. Run the following command to scan your GitHub repositories:
Zero-Commit Force Push operations: where developers attempt to erase mistakes by resetting their git history without pushing new commits.
Building on Truffle Security’s research into Deleted Data on GitHub from last summer and new research analyzing years of GH Archive data, we’ve developed the Force Push Scanner: a tool that scans for secrets in dangling commits on GitHub exposed by force pushes.
Let’s say a developer tries hard to delete a commit from their history. This post gives an overview of how to access this history with a new tool we’ve just released: the Force Push Scanner. We explore how it operates at scale across years of GitHub activity, and reveal how many sensitive commits are still floating in the public domain, waiting to be rediscovered.
A big thank you to Sharon Brizinov for participating in Truffle Security’s CFP and discovering some key insights that enabled the creation of the Force Push Scanner.
