Securing secrets such as API keys, passwords, and credentials is a major challenge for developers today. It's far too easy for these secrets to get exposed in public code repositories, logs, docker images, etc.
To help solve this issue, GitGuardian has launched an innovative new tool called HasMySecretLeaked to help you proactively audit if any of your organization's secrets have been publicly leaked.
HasMySecretLeaked allows you to check if your secret has leaked publicly on GitHub without ever revealing the actual secret. It uses advanced cryptographic techniques like hashing and encryption to query GitGuardian's database of more than 20 million leaked secrets found by scanning GitHub.
Here's how it works:
- You enter your secret in the HasMySecretLeaked client-side interface. It is hashed and encrypted locally in your browser.
- Only a prefix of the hash is sent to query GitGuardian's database. This allows you to search for a match without exposing your actual secret.
- If there is a match, the results are encrypted and sent back. They can only be decrypted locally using your secret's full hash as a key.
- This allows you to safely check if your secret has leaked publicly without the value ever leaving your environment.
You can also use GitGuardian's ggshield CLI to integrate leak checks into your pipelines, pulling secrets from tools like HashiCorp Vault and checking them in bulk against the database.
HasMySecretLeaked is integrated into GitGuardian's secrets detection platform, alerting you if hardcoded secrets found in your repositories, Slack, Jira, etc. have leaked publicly. It uses zero-knowledge and cryptographic techniques like k-anonymity to ensure your real secrets are never revealed, providing a privacy-first way to check if your organization's secrets have been unintentionally exposed on public GitHub projects.
This new tool addresses the growing need to gain visibility and control over secrets sprawl. In today's complex CI/CD pipelines, secrets spread rapidly across numerous tools, scripts, and environments, making accidental leaks almost inevitable. HasMySecretLeaked provides continuous auditability for your secrets, empowering developers and security teams to systematically verify secrets and prioritize the remediation of critical leaks.
Whether you manage thousands of secrets across various vaults or just want to check a few keys, HasMySecretLeaked is an invaluable tool for proactively securing your organization's secrets and minimizing your attack surface.