Gitguardian alert but I wasn't signed up

So, I pushed an update to one of my repositories, which only consists of 3 jupyter notebooks and associated support files. After pushing the update, I received an email alert from gitguardian:

GitGuardian has detected the following Okta Token exposed within your GitHub account.

  • Secret type: Okta Token

I don’t really know what it could have found, or why I got the alert when I had not signed up for gitguardian (since I got the alert I did sign up, but I did not have gitguardian before that).

What would prompt this sort of thing? I don’t really know much about an okta token - I tried looking it up but it seemed like it would take many days of research before I would have a chance to make any sense of it, and this repository does not have anything I can think of that would present a security problem on my system.

This is the repository: https://github.com/pegenaran/philcovid

Thanks in advance. :slight_smile:

Hi @pegenaran! :wave: Welcome to the Community!

We’ve had one or two other reports of this happening - apparently GitGuardian are doing some proactive scanning of public repos, and if they can see an email address in the commit metadata, they send out a notification!

GitGuardian is a third-party service not partnered with GitHub for secret scanning, so as such, we don’t have any insight into how their service works.

It seems that what has happened is that a random string of characters in your notebook matches the formatting of an Okta key, and they have told you about it. We can’t say if this is an actual Okta API key, or just a random sequence of characters that happens to match the predefined formatting of an Okta API key.

You may want to ask GitGuardian for their opinion as to whether this is a security risk, as they are the ones with more information about how and why they identified this string.

Sorry we can’t help more from the GitHub side of things!

This happened to me as well.
The thing which concerns me the most is that gitguardian send me notification on my work email.
Which has no relation to this account.

Same here! I accepted the request at first, then modified my repository to “hide” my API Key in my .gitignore file. While helpful, I wasn’t sure if GitGuardian is some kind of scam so I removed their access from my account.