🐛 [Bounty] - Sensitive Data Leak through github

[Hornan7]

Context

Received via the security mailbox. I’m catching up on the backlog and couldn’t find any logs for this one, so I’m adding it here for tracking purposes. Please feel free to close it if it has already been processed.

Hi Team,

I found some sensitive data from github

Github link:-https://github.com/IntersectMBO/govtool/blob/7bebf5186eab1527acc202978401c3607b306e5b/.github/workflows/frontend_sonar_scan.yml#L44

Github link:

govtool/.github/workflows/frontend_sonar_scan.yml

Line 22 in 6ba37d8

-e SONAR_TOKEN="ec4183646e59dd70c8077acfabe52062ccbea7a9" \

Steps to reproduce

Validation
curl -u "ec4183646e59dd70c8077acfabe52062ccbea7a9:" "https://sonarcloud.io/api/system/status"

Actual behavior

Impact

• Data Breach: Potential access to user data
• Financial Loss: Unauthorized transactions
• Service Disruption: Resource manipulation
• Reputation Damage: Loss of customer trust

Expected behavior

Recommendations

1. Immediate Actions:

• Rotate all exposed API keys immediately
• Remove sensitive files from Git history using BFG Repo-Cleaner or git filter-branch
• Add the affected files to .gitignore

2. Preventive Measures:

• Implement pre-commit hooks with secret detection
• Use environment variables for configuration
• Regular security scanning of repositories
• Developer training on secure coding practices

3. Tooling:

• Implement git-secrets or similar tools
• Use CI/CD security scanning (GitGuardian, TruffleHog)
• Regular external penetration testing