IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [github]

github.com is a website for hosting source code using the git version control system. This tag is for questions about security aspects of the github platform. For questions about git itself, please use [git]

github.com is a website for hosting source code using the git version control system. This tag is for questions about security aspects of the github platform. For questions about git itself, please use

67 questions
173
votes
4 answers

GitLab account hacked and repo wiped

I was working on a project, a private repo, and suddenly all the commits disappeared and were replaced with a single text file saying To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address…
Stefan Gabos
  • 1,113
  • 2
  • 6
  • 9
105
votes
4 answers

Suspicious GitHub fork

Update (April 15): The forked repo and the user do not exist any more. Yesterday, one of my GitHub projects was forked and there is a suspicious commit on the fork of the repo. As you can see from the commit the GitHub Actions configuration installs…
Giorgi
  • 883
  • 2
  • 3
  • 12
45
votes
2 answers

Who owns the gpg key 4AEE18F83AFDEB23 and how did it sign a commit in my GitHub repo?

This commit in my GiHub repo is signed by a key I don't recognize: https://github.com/jonathancross/jc-docs/pull/2/commits/124672699991af75dd2454831670758f08bc74ab What is going on here?
Jonathan Cross
  • 1,548
  • 1
  • 12
  • 25
21
votes
3 answers

Can I rely on these GitHub repository files?

I recently found the GitHub repository https://github.com/userEn1gm4/HLuna, but after I cloned it I noted that the comparison between the file compiled (using g++) from source, HLuna.cxx, and the binary included in the repository (HLuna) is…
mcruz2401
  • 191
  • 1
  • 7
19
votes
1 answer

Github account hacked and repo wiped - Github Response

One of my repo's was wiped today and just a message left in its place with a bitcoin ransom. I've no idea how they accessed my account, can't really see anything on github security page. The domain of the email they want me to contact was only…
Raymie
  • 191
  • 1
  • 6
14
votes
2 answers

Why are the gitlab SSH host key fingerprints not matching?

I tried to log into my university's gitlab via SSH. As expected, I was warned that the host is not known. Therefore, I tried to find the SSH host key on the "current configuration" page in the manual. However, I found that the key does not match the…
HerpDerpington
  • 225
  • 2
  • 8
6
votes
1 answer

Recover lost GPG public key

I sign my Git commits with a GPG key which I stored on an old computer. I lost this key so I created a new one to sign my commits with. It has not been compromised so I do not wish to revoke it. However, I accidentally deleted my public key too (I…
Zak
  • 163
  • 4
6
votes
1 answer

How could malicious code changes in a GitHub pull request be masked by an attacker?

When viewing a pull request on GitHub (or the equivalent on any other platform), the web interface displays a diff of the changes for you to review. Reviewing the diff is obviously vulnerable to human error, as malicious changes can be snuck in (see…
jamieweb
  • 425
  • 1
  • 3
  • 10
6
votes
2 answers

Is it safe to store GPG encrypted data publicly eg on GitHub?

I've been learning some basics of information security and GPG encryption and it's super intriguing. I wanted to understand vulnerabilities behind an idea that I had. After we create our public and private key pair with GPG, it's common and known…
ggoober
  • 61
  • 3
5
votes
1 answer

Risks of allowing employees using personal GitHub accounts for work

Proprietary software developed by a (smallish) company is stored in the company's GitHub private repository. For work, software engineers are requested to create company-specific GitHub account bound to their work email address. But access to the…
Konstantin Shemyak
  • 639
  • 5
  • 12
5
votes
2 answers

How can I verify signed commits made by other people?

As identified in this related question, github signs commits made from their application with their GPG key 4AEE18F83AFDEB23. Online, I can see commits tagged as 'verified'. But when I attempt to verify them on my local, I am unable to: $ git log…
Brendan Roy
  • 153
  • 4
4
votes
0 answers

Is github1s.com safe ? How does it work?

My colleagues started using https://github1s.com to browse our company's code on Github. It pops a "visual studio" window for the code. Looks great and useful. But... I don't know much about web stuff. How can I tell if this is safe? What can the…
Jeffrey
  • 141
  • 5
4
votes
1 answer

Am I actually seeing a Man-in-the-Middle when pushing to GitHub?

When I attempt git push origin, I get the following error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS…
ShapeOfMatter
  • 523
  • 2
  • 12
4
votes
2 answers

Should things like project IDs, cloud region IDs etc be kept secret on an open source project?

All my side project are open source - just using the free Github account. I'm wondering about how security conscious I need to be about keep things like: Google Cloud Platform Project IDs Log Rocket project IDs Logging email addresses hidden on…
dwjohnston
  • 707
  • 5
  • 20
4
votes
2 answers

Is it a security defect to display the secure api_key in travis.yml file of source code of a web application in Github

I have been working on a code review of a project. The source code is publicly available on Github. I came across a file "travis.yml". In that file, I am able to see the secure api_key as shown in the screenshot. I strongly believe that it is a…
Sai Dutt Mekala
  • 343
  • 2
  • 10
1
2 3 4 5