the TLDR: GitHub secrets are safest in private repos
03/24/2021, 7:09 PM
I don't think any of our current plans have much for secrets.
But yeah, I also read this a ago
Definitely doesn't sound good.
Also sounds related to the long known and ignored thing where I can make it look like shas are part of upstream repos.
03/24/2021, 11:13 PM
Everything has bugs, what’s impressive is GitHub’s response and the timeline, demonstrating again that they take this seriously.
I’d still trust Secrets, but out long term plan is to use 1password or a similar off-platform solution to hold API access to credentials. This way we can incorporate a MFA check too.
03/24/2021, 11:52 PM
maybe. Sorta? I think github has some pretty neat security stuff (the various scanning. the semmle acquisition). And while this did get fixed promptly, I think it’s also a bandaid because some backend can’t actually tell what org a commit is from. So there’s a shakey base.