From 35842b3566c8b37f34a58e2046e926f7387b8157 Mon Sep 17 00:00:00 2001 From: Ryan Carter Date: Mon, 16 Jul 2018 07:37:16 -0600 Subject: [PATCH 1/8] Explain how to use .gitignore preemptively --- Leak Mitigation Checklist.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/Leak Mitigation Checklist.md b/Leak Mitigation Checklist.md index 1bc6c38..0cb0330 100644 --- a/Leak Mitigation Checklist.md +++ b/Leak Mitigation Checklist.md @@ -29,6 +29,17 @@ If someone else leaked confidential information related to you or your company o [2. Advice specific to a key](#2-advice-specific-to-a-key) [3. Any question?](#3-any-question) +# 0. The best way to avoid exposing keys and sensitive information files +Before your first push to a repo, add this simple step to your workflow, which should avoid you having to backtrack and endure the embarrassment. That step is to add a .gitignore file to your code before you push for the first time. The process is simple and will prevent headaches for you and other developers of your project in the future. + +# 0.1 Adding a .gitignore file to your code +Create a new file named .gitignore and save it in the root of your project. This can be done via the terminal or in Finder/Explorer/Linux file manager as needed. The file must have a dot before the "gitignore" part or it won't be recognized exactly like this: ".gitignore" (that is the entire file name, weird, I know, but it's magical). + +# 0.2 Add sensitive files to the list (in the .gitignore file) +Since it is difficult to tell what every single developer might possibly name their key files and other secrets, it is easier if you add your specific files to the .gitignore file yourself. All you do is make an entry inside the .gitignore for each file that you don't want shared on the public internet as part of your source code. When you commit the .gitignore file, github automatically looks the other way, and will not include your sensitive files in the repo. It's almost like they planned it! + +# 0.3 Making your app still work when key files aren't pushed to the repo +A valid question might be "How do I still make my app work without the keys or other sensitive files?" The answer is copy key files to the server where the code is running (usually by hand) so that they stay safe. Typically you would transfer the key file to the server once you've cloned your git repo onto the server. This way, the app still runs and your secret information stays secure. No one ever seems to explain this concept to devs, thus the need for GitGuardian to step in and help keep you safe. # 1. General advice From 890cd9bcf85a8b5367c651757e30d325913fb563 Mon Sep 17 00:00:00 2001 From: Ryan Carter Date: Mon, 16 Jul 2018 07:39:24 -0600 Subject: [PATCH 2/8] Update Leak Mitigation Checklist.md --- Leak Mitigation Checklist.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Leak Mitigation Checklist.md b/Leak Mitigation Checklist.md index 0cb0330..9fcc452 100644 --- a/Leak Mitigation Checklist.md +++ b/Leak Mitigation Checklist.md @@ -13,6 +13,7 @@ Examples of sensitive information: If someone else leaked confidential information related to you or your company on GitHub, you may ask GitHub to perform a [DMCA takedown](https://help.github.com/articles/dmca-takedown-policy/#f-submitting-notices). # Table of contents +[0. How to avoid exposing sensitive information](#0-how-to-avoid-exposing-sensitive-information) [1. General advice](#1-general-advice) @@ -29,7 +30,7 @@ If someone else leaked confidential information related to you or your company o [2. Advice specific to a key](#2-advice-specific-to-a-key) [3. Any question?](#3-any-question) -# 0. The best way to avoid exposing keys and sensitive information files +# 0. How to avoid exposing keys and sensitive information Before your first push to a repo, add this simple step to your workflow, which should avoid you having to backtrack and endure the embarrassment. That step is to add a .gitignore file to your code before you push for the first time. The process is simple and will prevent headaches for you and other developers of your project in the future. # 0.1 Adding a .gitignore file to your code From 4f2710159a3bffeb9c97ef858154e0a66e3c3b56 Mon Sep 17 00:00:00 2001 From: Ryan Carter Date: Mon, 16 Jul 2018 07:40:34 -0600 Subject: [PATCH 3/8] Update Leak Mitigation Checklist.md --- Leak Mitigation Checklist.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Leak Mitigation Checklist.md b/Leak Mitigation Checklist.md index 9fcc452..a0fc012 100644 --- a/Leak Mitigation Checklist.md +++ b/Leak Mitigation Checklist.md @@ -30,6 +30,7 @@ If someone else leaked confidential information related to you or your company o [2. Advice specific to a key](#2-advice-specific-to-a-key) [3. Any question?](#3-any-question) + # 0. How to avoid exposing keys and sensitive information Before your first push to a repo, add this simple step to your workflow, which should avoid you having to backtrack and endure the embarrassment. That step is to add a .gitignore file to your code before you push for the first time. The process is simple and will prevent headaches for you and other developers of your project in the future. From 972d95d9cdfb00f041bddf96c355d69c323d8b54 Mon Sep 17 00:00:00 2001 From: Ryan Carter Date: Mon, 16 Jul 2018 07:41:25 -0600 Subject: [PATCH 4/8] Update Leak Mitigation Checklist.md --- Leak Mitigation Checklist.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Leak Mitigation Checklist.md b/Leak Mitigation Checklist.md index a0fc012..2edc82d 100644 --- a/Leak Mitigation Checklist.md +++ b/Leak Mitigation Checklist.md @@ -13,7 +13,7 @@ Examples of sensitive information: If someone else leaked confidential information related to you or your company on GitHub, you may ask GitHub to perform a [DMCA takedown](https://help.github.com/articles/dmca-takedown-policy/#f-submitting-notices). # Table of contents -[0. How to avoid exposing sensitive information](#0-how-to-avoid-exposing-sensitive-information) +[0. How to avoid exposing keys and sensitive information](#0-how-to-avoid-exposing-keys-and-sensitive-information) [1. General advice](#1-general-advice) From f832d27fef599ef791e4c4c2ffc0bee77cf91fd0 Mon Sep 17 00:00:00 2001 From: Ryan Carter Date: Mon, 16 Jul 2018 07:41:57 -0600 Subject: [PATCH 5/8] Update Leak Mitigation Checklist.md --- Leak Mitigation Checklist.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Leak Mitigation Checklist.md b/Leak Mitigation Checklist.md index 2edc82d..1c18f13 100644 --- a/Leak Mitigation Checklist.md +++ b/Leak Mitigation Checklist.md @@ -34,13 +34,13 @@ If someone else leaked confidential information related to you or your company o # 0. How to avoid exposing keys and sensitive information Before your first push to a repo, add this simple step to your workflow, which should avoid you having to backtrack and endure the embarrassment. That step is to add a .gitignore file to your code before you push for the first time. The process is simple and will prevent headaches for you and other developers of your project in the future. -# 0.1 Adding a .gitignore file to your code +## 0.1 Adding a .gitignore file to your code Create a new file named .gitignore and save it in the root of your project. This can be done via the terminal or in Finder/Explorer/Linux file manager as needed. The file must have a dot before the "gitignore" part or it won't be recognized exactly like this: ".gitignore" (that is the entire file name, weird, I know, but it's magical). -# 0.2 Add sensitive files to the list (in the .gitignore file) +## 0.2 Add sensitive files to the list (in the .gitignore file) Since it is difficult to tell what every single developer might possibly name their key files and other secrets, it is easier if you add your specific files to the .gitignore file yourself. All you do is make an entry inside the .gitignore for each file that you don't want shared on the public internet as part of your source code. When you commit the .gitignore file, github automatically looks the other way, and will not include your sensitive files in the repo. It's almost like they planned it! -# 0.3 Making your app still work when key files aren't pushed to the repo +## 0.3 Making your app still work when key files aren't pushed to the repo A valid question might be "How do I still make my app work without the keys or other sensitive files?" The answer is copy key files to the server where the code is running (usually by hand) so that they stay safe. Typically you would transfer the key file to the server once you've cloned your git repo onto the server. This way, the app still runs and your secret information stays secure. No one ever seems to explain this concept to devs, thus the need for GitGuardian to step in and help keep you safe. # 1. General advice From d1bcd2c180ed96d9c04c50461de8091d77fa4c33 Mon Sep 17 00:00:00 2001 From: Ryan Carter Date: Mon, 16 Jul 2018 07:45:06 -0600 Subject: [PATCH 6/8] Update Leak Mitigation Checklist.md --- Leak Mitigation Checklist.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/Leak Mitigation Checklist.md b/Leak Mitigation Checklist.md index 1c18f13..3dbe0fc 100644 --- a/Leak Mitigation Checklist.md +++ b/Leak Mitigation Checklist.md @@ -15,6 +15,12 @@ If someone else leaked confidential information related to you or your company o # Table of contents [0. How to avoid exposing keys and sensitive information](#0-how-to-avoid-exposing-keys-and-sensitive-information) +* [0.1 Adding a .gitignore file to your code](#0.1-adding-a-gitignore-file-to-your-code) + +* [0.2 Add sensitive files to the list](#0.2-add-sensitive-files-to-the-list) + +* [0.3 Making your app work without keys in the code](#0.3-making-your-app-work-without-keys-in-the-code) + [1. General advice](#1-general-advice) * [1.1. :warning: First thing first: rotate your credentials](#11-warning-first-thing-first-rotate-your-credentials) @@ -37,10 +43,10 @@ Before your first push to a repo, add this simple step to your workflow, which s ## 0.1 Adding a .gitignore file to your code Create a new file named .gitignore and save it in the root of your project. This can be done via the terminal or in Finder/Explorer/Linux file manager as needed. The file must have a dot before the "gitignore" part or it won't be recognized exactly like this: ".gitignore" (that is the entire file name, weird, I know, but it's magical). -## 0.2 Add sensitive files to the list (in the .gitignore file) +## 0.2 Add sensitive files to the list Since it is difficult to tell what every single developer might possibly name their key files and other secrets, it is easier if you add your specific files to the .gitignore file yourself. All you do is make an entry inside the .gitignore for each file that you don't want shared on the public internet as part of your source code. When you commit the .gitignore file, github automatically looks the other way, and will not include your sensitive files in the repo. It's almost like they planned it! -## 0.3 Making your app still work when key files aren't pushed to the repo +## 0.3 Making your app work without keys in the code A valid question might be "How do I still make my app work without the keys or other sensitive files?" The answer is copy key files to the server where the code is running (usually by hand) so that they stay safe. Typically you would transfer the key file to the server once you've cloned your git repo onto the server. This way, the app still runs and your secret information stays secure. No one ever seems to explain this concept to devs, thus the need for GitGuardian to step in and help keep you safe. # 1. General advice From 8e2a342525404c6a467e5b62355a20e6eab93de8 Mon Sep 17 00:00:00 2001 From: Ryan Carter Date: Mon, 16 Jul 2018 07:46:07 -0600 Subject: [PATCH 7/8] Update Leak Mitigation Checklist.md --- Leak Mitigation Checklist.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Leak Mitigation Checklist.md b/Leak Mitigation Checklist.md index 3dbe0fc..e213eb5 100644 --- a/Leak Mitigation Checklist.md +++ b/Leak Mitigation Checklist.md @@ -15,11 +15,11 @@ If someone else leaked confidential information related to you or your company o # Table of contents [0. How to avoid exposing keys and sensitive information](#0-how-to-avoid-exposing-keys-and-sensitive-information) -* [0.1 Adding a .gitignore file to your code](#0.1-adding-a-gitignore-file-to-your-code) +* [0.1 Adding a .gitignore file to your code](#01-adding-a-gitignore-file-to-your-code) -* [0.2 Add sensitive files to the list](#0.2-add-sensitive-files-to-the-list) +* [0.2 Add sensitive files to the list](#02-add-sensitive-files-to-the-list) -* [0.3 Making your app work without keys in the code](#0.3-making-your-app-work-without-keys-in-the-code) +* [0.3 Making your app work without keys in the code](#03-making-your-app-work-without-keys-in-the-code) [1. General advice](#1-general-advice) From 64d37142c93df74c8c8abb9f73f3d564936702be Mon Sep 17 00:00:00 2001 From: Ryan Carter Date: Mon, 16 Jul 2018 07:47:08 -0600 Subject: [PATCH 8/8] updated table of contents --- Leak Mitigation Checklist.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Leak Mitigation Checklist.md b/Leak Mitigation Checklist.md index e213eb5..df7fe0b 100644 --- a/Leak Mitigation Checklist.md +++ b/Leak Mitigation Checklist.md @@ -13,7 +13,7 @@ Examples of sensitive information: If someone else leaked confidential information related to you or your company on GitHub, you may ask GitHub to perform a [DMCA takedown](https://help.github.com/articles/dmca-takedown-policy/#f-submitting-notices). # Table of contents -[0. How to avoid exposing keys and sensitive information](#0-how-to-avoid-exposing-keys-and-sensitive-information) +[0. How to prevent exposing keys and sensitive information](#0-how-to-prevent-exposing-keys-and-sensitive-information) * [0.1 Adding a .gitignore file to your code](#01-adding-a-gitignore-file-to-your-code) @@ -37,7 +37,7 @@ If someone else leaked confidential information related to you or your company o [3. Any question?](#3-any-question) -# 0. How to avoid exposing keys and sensitive information +# 0. How to prevent exposing keys and sensitive information Before your first push to a repo, add this simple step to your workflow, which should avoid you having to backtrack and endure the embarrassment. That step is to add a .gitignore file to your code before you push for the first time. The process is simple and will prevent headaches for you and other developers of your project in the future. ## 0.1 Adding a .gitignore file to your code