appsec

331 readers

1 users here now

A community for all things related to application security.

founded 1 year ago

MODERATORS

[email protected]

GitHub Copilot, Amazon Code Whisperer emit people's API keys (www.theregister.com)

submitted 1 year ago by [email protected] to c/[email protected]

11 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 8 points 1 year ago (9 children)

You shouldn't be hard-coding API keys, and definitely not committing them to the repository.

[–] [email protected] 1 points 1 year ago (4 children)

For local development you would definitely keep them in a config file. Nothing wrong with that.

For production they are set during the release process.

Nothing is more expensive than developers needing to find all the configs and keys to just start up a project to make a small fix somewhere.

[–] [email protected] 3 points 1 year ago (3 children)

A config file outside of the repository to be specific.

On Linux it can go somewhere under ~

On windows it can go somewhere in AppData

Ie; ~/YourAppName/Secrets.json or whatever your config file flavor is. Json, yaml, xml, whatevs

[–] [email protected] 1 points 1 year ago (1 children)

No. For development purposes I want my devs to be able to clone the repo and start.

So the development config files are inside the repositories.

[–] [email protected] 0 points 1 year ago (1 children)

Wow, that's a terrible security process even for development configs. How about adding a script they can run right after cloning to pull the needed keys from a secure location using their own user credentials? Plenty of solutions out there.

[–] [email protected] 0 points 1 year ago

So let’s say the code base leaks.

Let’s say our VPN was also compromised.

Then what is the worst that can happen? Some internal dev api with no real data in it can be tested by hackers.

load more comments (1 replies)

load more comments (5 replies)