Hey Hi, I was unable to delete a user account or suspend my account in the https://app.gitguardian.com/
Kindly add that feature

Hi there, link in your email points to this commit

The line number flagged comes up as http://kadubeureum-serang.desa.id/wp-content/auto/autolink/autolinkauto/mailboxx/mailbox which does not show any API key involved.

You have been sending me multiple emails looking like this:

GitGuardian has detected the following ____ exposed within your GitHub account.
Details

- Secret type: ____

- Repository: ____/____

- Pushed date: ____, ____ UTC

Fix This Secret Leak
Read our guide to remediate an exposed secret.

GitGuardian is an automated secrets detection service trusted by 150,000 developers worldwide.

Unsubscribe from these alerts.
--


</div></td></tr><br class="Apple-interchange-newline">

Most GitHub users have never signed up for your services, and your action is the exact definition of spamming. If you like to get more users from this community, you need to stop spamming them to begin with!

Here's more reports about your spamming actions: https://github.community/t/gitguardian-alert-but-i-wasnt-signed-up/123151

Hi, thanks for the heads up, and this is a neat service. I got a report about a discord API being exposed, and I assume it's this line in my example configuration file.

# List of Discord webhooks to broadcast updates to.
discord_webhooks:
 - url: "https://discordapp.com/api/webhooks/667885980094562334/eNViZSC-hEAw0a0pavbNJsbgwzLSofVB6MpOsOZD3_8hh4WyQn38kysWuzlcRtsyRNMR"

This is a webhook that I generated, copied, and then revoked—to use as an accurate example the user can see. I don't know how possible it would be to test if a webhook is valid or not, but this would be a true positive in the sense that it was a valid webhook for a moment, but a false positive in that it's not valid.

Have fun. :)

secure: "ZsqWjlnthwiHrMCytHeYLzC6pasDzBYZAL4vPdx7+viGiahIoYDeN+FkoXASYP4Z9RachE3GKquXeTPKCjAJ0elvYKHe1PC6+BsZrQWVOIMMqa1vMOuPVAMk7ohDsE4JqzjxdWYAErxE/GgcE7+7F/s79d+x+zpg0c0DVkNiprFWYnz2liKX0Ya926anDUAfT1fsHfSjDETufrNs06jfNMroFbEN22ebxiKL8Xbip6f3fY2SEasmiQ5MhmjMreDTY1zemnTvsaMNzjzSou3z+zqV6Z/Xt/FrS4t42vmo37w9wLYUlREPR0FJ6Z+c5PI4l/+RdBKQfvlilZDIq60ZeF3uHE2tVlSMXaOtNS7EVO9vJjxWb2qSLWeh8kmGsT87sBocUVILFG3ibmnbPiGtW4rDxqgtYPnAaxDU8yQL72K1EDkuJytQIXXDefHZ/FA5/+UTzv3cCIF2OviIVx2oEHrnkbq+YPvyjLGzp+eg8/In8m5Mc63UoepknLvlz5JrUKYePj2IUuyI2Dvl7+O4qm5o+SvNutoeYJYsWrKkPiaDXfAJ+J4QMerO2qbF2AWCQHHfeTRK8Sn6geK0ZK8SXEVeIty5IA95Bt/pBZJ4ZCn8ehK3nvepLOwhy/gGyejrjMlG9rcAvAyvnSN8aT1cHJJaKkAlF22chLVQ1pIcukE="

Travis CI secrets can't be decrypted, are not exposed to PRs from forks, and are removed from logs.

• https://docs.travis-ci.com/user/encryption-keys/
• https://docs.travis-ci.com/user/best-practices-security/
• https://docs.travis-ci.com/user/environment-variables/#defining-encrypted-variables-in-travisyml

### Store your secrets encrypted in a git repository

**Advantages**

* Your secrets are synced.

No, no no no no no,
No.
No.

Secrets have no place in version control - they shouldn't be distributed, they shouldn't be in version control.
If the secrets are encrypted and in version control that's even worse because you have to distribute the private key for them as well, sooner or later this will inevitably end up in your repository.

Once the secrets (and worse - potentially your private key too) are in version control (and heaven forbid outside of a network you control), you are relying completely on software you likely don't have control over to ensure these secrets remain exactly that; secret.

This is before you get to the issue of there suddenly being zero accountability, if you're using something like AWS and using a non-free service and everyone's using the same set of credentials there's no way of keeping track of who's running up the bill.

Secrets need to be exactly that - secret, bonus points if they're also easy to revoke and replace.

Hello, and thank you for the GitGuardian service that you provide, it is really useful.

I want to point out that you should not auto-detect a Firebase API key as "compromised" since this is not a private key but a public key that any entity should access in order to connect to the Firebase API that was set up. Authentication allows only some/all end-users to access/modify/validate certain parts of it, so the API key is not the one that should be guarded.
https://stackoverflow.com/questions/35418143/how-to-restrict-firebase-data-modification

I assume an URL including digitalocean in combination with a public Ethereum address triggered the bot.

I received a notification email claiming a disclosure in a Git commit. This was a false positive. Clicking on the False Positive link took me to a 403 error.

There was just a false positive on one of my repos, where a Google APIKey is in the javascript.
I tried clicking the false positive button on the email, but that didn't work...
Google apiskeys embedded in javascript front-ends are available for the public to see in any-case as the JavaScript is run client side. :)