-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Warning email from GitGuardian about SECRET_KEY #1687
Comments
i have got the same message but from weather api secret |
I got the same and you helped us |
got same message when I pushed changed to remote github repo. help ? |
You can just ignore that message. (I'd write "You can safely ignore that message", but that wouldn't be quite true, as the message is indeed right that publishing the |
I got the same message, is there a way of fixing this...??? |
Probably most who receive(d) these warning e-mails don't have any relation to GitGuardian at all. For how they got that e-mail address, @mnemonico: Did you maybe use it as the Git user e-mail address on a computer, on which you make commits that you pushed to your Django Girls blog repository on GitHub? If so, the e-mail address can simply be read out of these (public) commits. (It isn't shown on the GitHub web interface, but anyone can clone the repo and get it that way. And this can of course be automated, which GitGuardian probably has done, if they get the addresses that way.) |
Hello there, Dwayne from GitGuardian here. You received that message as part of our Good Samaritan project. We monitor all new public GitHub commits, and we alert GitHub users who push anything that looks like sensitive credentials into repos. das-g is correct; we pull the emails from the commits themselves. We want to give the devs a heads-up ASAP. ((Full disclosure, I just joined a few months ago and just found this thread researching who has mentioned us on GitHub)) |
Hi @mcdwayne Thanks for replying here and for confirming some of our assumptions. Is there a way to opt out on a per-line basis (e.g. by a special code comment, as is the case with many linters)? As the tutorial is intended to be followed by many (and pushing the resulting code is part of it), a per-user opt-out isn't really practical for this case, as the affected users aren't known in advance. Alternatively (and maybe preferably), do you have any suggestions on how to make the code produced in this tutorial secure regarding this aspect (so that it would not trigger GitGuardian's warning in the first place), without complicating the instructions too much? |
Hi @das-g I am asking the detections team about ways to opt out 'per line' or how we have dealt with similar issues with tutorial repos in the past. As far as best practices here: My feeling here is While it might be 'easier' to just hardcode things, it is a bad habit ever to pick up. Using a .env file adds a little complexity, but in the long run, all the folks using this tutorial will be set up for long-term success if they adopt this philosophy of 'never hardcode secrets' earlier. Alternatively, but much heavier, is setting up and using Hashicorp Vault. That might be too overwhelming for new folks, though. I will reply further when I get an answer from my team. |
Hi @das-g But to fix the immediate issue at hand, it is possible to ignore a secret by adding a I hope that helps. |
I still can't believe it. A very unprofessional approach by GitGuardian. Without my consent, without my membership on their site, they checked my personal GitHub account and sent this email to my business email address. |
Hi @amastaneh Sorry that you are not a fan of our public alerting. I am a Developer Advocate at GitGuardian. It seems you did publish an We at GitGuardian are really trying to do a public service here, helping folks discover they might not have pushed what they thought they were pushing into places they might not have meant to. The feed for new commits is publicly available and we want to give you a heads-up. There are automated bots put out there by bad actors that are constantly looking at new commits to extract keys they might exploit. We did not mean to annoy you and if you don't ever want to hear from us again, we understand. I would welcome your feedback on how we could better handle the situation. |
@mcdwayne I appreciate your quick and comprehensive explanation. That was my mistake to unwittingly and unknowingly sign this public repository with my professional email address. Thanks for providing the public with such a valuable service. As recommended, it would be helpful to include the source of the email (with a link to the commit.patch) at least in the initial email like this: +@er-vin, @ericfourrier, @eugenenelou, @julienc91, @KNedelec |
Thank you @amastaneh |
I just got one too... similar experience as @mnemonico comment; it was sent to my work email, even though it's a private repo, but that's because I'd globally configured git to use my work email (oops). $ git config --global user.email
<my work email> I started panicking because the email appears to come from a separate domain:
Which was scary because getgitguardian.com appears to be registered by a completely different party (when queried through who.is) However the good news is the button to authorise them (as a 3rd party to github on your behalf) does link to the (slightly) more legitimate gitguardian.com domain. In Summary:
|
related: #1192 |
@mcdwayne aside from Part of the problem here is that the For reference, this is the kind of format that’s generated by # SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = 'django-insecure-07eo4&4fy=1csgz@tj%!^buz&09nn&ej@=4t)%6^nx6eyntq&a' I tried to go through the tutorial with a "fresh" GitHub account and didn’t receive an email, so I imagine at least lines with this The project template’s security key generation from Django happens in startproject.py, and here is the settings.py’s file template. |
@mcdwayne 👋 could you take a look at the above when you have the chance? Also FYI Fly.io also generates SECRET_KEY in their Django project scaffolding. |
Hi @thibaudcolas |
@thibaudcolas |
The story is that I accidentally made a Git commit using my work email, and when I saw the email notification in my work mailbox, I nearly had a heart attack. It took me a while to calm down and realize that it was actually a good thing I found out that day instead of much later. So, I decided to roll up my sleeves and build this Google Chrome Extension to easily spot commit info and avoid this kind of mistake in the future. https://chromewebstore.google.com/detail/github-prime/aimhjdfkkcffllnacnjefnjgodfafjbj?hl=en Thank you @mcdwayne |
@das-g Can we close this as it doesn't seem like this is now relevant to Django Girls? |
Well, as we see from #1687 (comment), this is still an issue. The problem is that (for simplicity / brevity) the Django Girls tutorial instructs the participants to do things (well, at least one thing) in a way in which they shouldn't be done in production and that GitGuardian scans all of GitHub and warns all that push code with such a "mistake", which understandably confuses participants or even puts them into panic. I'm still not sure how to best resolve the problem, though. |
Though, looking at the e-mail in the screenshot in #1687 (comment), this doesn't seem to be about a repo that participants create during the Django Girls tutorial, but about some other project. For other recent-ish comments (#1687 (comment) & #1687 (comment)) it's unclear whether the warning is for a repo from following the Django Girls tutorial. @Dilrushan, @amastaneh, did you get these warnings for a repo you created while following the Django Girls tutorial? |
I also agree that #1687 (comment) is not related to the Django Girls tutorial repo. Also, I didn't get the warning when I went through the tutorial in Sept (2024), so I don't think it's an issue anymore. Let's see what @Dilrushan and @amastaneh say. |
In the "Deploy!" section, when the project is pushed to GitHub, an email "[username/my-first-blog] Django Secret Key exposed on GitHub" is sent to the repo owner from security@mail.gitguardian.com. It does not seem that this is an official GitHub feature, but a unsolicited email from a hungry startup.
Here's my version of the email:
The phrase "Protect Your GitHub Repos" is a call-to-action button that takes you to a GitHub authorization screen to add the GitGuardian service to your account. I signed up, and there was no useful advice about how to solve the issue easily available. They have some blog articles:
SECRET_KEY
.If this company continues doing this, it would affect any student regardless of language or operating systems.
This caused some distress for the students and a lot of discussion among the coaches.
I'm not sure what the solution should be. It may be enough to say "you may get this email, and should ignore it for now". Another possible solution is to use
python-dotenv
as suggested by pythonanywhere, and walk students through those changes in the tutorial. Or, it may be enough to mention the Django deployment checklist, linked in the generatedsettings.py
.The text was updated successfully, but these errors were encountered: