I Scanned All of GitHub's "Oops Commits" for Leaked Secrets

Summary

TL;DR GitHub Archive logs every public commit, even the ones developers try to delete. Force pushes often cover up mistakes like leaked credentials by rewriting Git history. GitHub keeps these dangling commits, from what we can tell, forever. In the archive, they show up as “zero-commit” PushEvents. I scanned every force push event since 2020 and uncovered secrets worth $25k in bug bounties. Together with Truffle Security, we're open sourcing a new tool to scan your own GitHub organization for these hidden commits (try it here).The new open-source Force Push Scanner tool identifies secrets in dangling commits. This guest post by Sharon Brizinov, a white-hat hacker, was developed through Truffle Security’s Research CFP program. We first connected with Sharon after his widely shared write-up, How I Made 64k From Deleted Files, where he used TruffleHog to uncover high-value secrets in public GitHub repositories. In this follow-up, Sharon expanded his research to access 100% of deleted commits on GitHub. He takes a deeper dive into one of our favorite areas: secrets hidden in deleted GitHub commits.OverviewWhat Does it Mean to Delete a Commit?Github Event APIFinding all Deleted CommitsBuilding the AutomationHunting for Impactful SecretsCase Study - Preventing a Massive Supply-Chain CompromiseSummaryBackgroundMy name is Sharon Brizinov, and while I usually focus on low-level vulnerability and exploitation research in OT/IoT devices, I occasionally dive into bug bounty hunting.I recently published a blog post about uncovering secrets hidden in dangling blobs within GitHub repositories, which sparked quite a lively discussion. After the post, I had several conversations with various people including Dylan, the CEO of Truffle Security, who gave me some intriguing ideas for continuing to explore new methods for large-scale secret hunting. I decided to create a mind map with everything I know related to this topic and try to come up with a new idea. I’ll spare you my messy sk...