Gitguardian alert but I wasn't signed up

So, I pushed an update to one of my repositories, which only consists of 3 jupyter notebooks and associated support files. After pushing the update, I received an email alert from gitguardian:

GitGuardian has detected the following Okta Token exposed within your GitHub account.

  • Secret type: Okta Token

I don’t really know what it could have found, or why I got the alert when I had not signed up for gitguardian (since I got the alert I did sign up, but I did not have gitguardian before that).

What would prompt this sort of thing? I don’t really know much about an okta token - I tried looking it up but it seemed like it would take many days of research before I would have a chance to make any sense of it, and this repository does not have anything I can think of that would present a security problem on my system.

This is the repository: https://github.com/pegenaran/philcovid

Thanks in advance. :slight_smile:

Hi @pegenaran! :wave: Welcome to the Community!

We’ve had one or two other reports of this happening - apparently GitGuardian are doing some proactive scanning of public repos, and if they can see an email address in the commit metadata, they send out a notification!

GitGuardian is a third-party service not partnered with GitHub for secret scanning, so as such, we don’t have any insight into how their service works.

It seems that what has happened is that a random string of characters in your notebook matches the formatting of an Okta key, and they have told you about it. We can’t say if this is an actual Okta API key, or just a random sequence of characters that happens to match the predefined formatting of an Okta API key.

You may want to ask GitGuardian for their opinion as to whether this is a security risk, as they are the ones with more information about how and why they identified this string.

Sorry we can’t help more from the GitHub side of things!

1 Like

This happened to me as well.
The thing which concerns me the most is that gitguardian send me notification on my work email.
Which has no relation to this account.

2 Likes

Same here! I accepted the request at first, then modified my repository to “hide” my API Key in my .gitignore file. While helpful, I wasn’t sure if GitGuardian is some kind of scam so I removed their access from my account.

Hi m47ik
The alert from GitGuardian is sent from the commit email, this can be different to your GitHub email.
This is set from your local git account, you can see and set this using the git config commands. I little trick if you want to see the meta-data inside your commit is to add ‘.patch’ to the end of the commit URL. :slight_smile:

Mackenzie (Developer Advocate @ GitGuardian)

It’s 2021 and GitGuardian can’t just be spamming people using their email from commit messages in an attempt to growth hack. Yes you have an Unsubscribe link in your emails, but you also know that I never subscribed to such alerts in the first place. According to your website you are “registered under French law” and should know that this is not OK.

2 Likes

How did you remove their access to your account?

I couldn’t agree more. I’m marking his emails as Spam, since it is basically what it is.

After logging into your account:

  • Settings
  • Applications (should be last on the left sidebar)
  • Click the tab for Authorized GitHub Apps
  • Click Revoke

What if I never authorized this app in the first place? They are scanning my public repositories, getting the commit emails and sending me spam with it.

If that is happening, and you do not have them in your authorized apps, please reach out to them directly as we do not have insight into how they interact with you.

I think this spammers are becoming a real issue,and before long you won’t be able to use that “its not us” answer" anymore… isn’t there anything to be done collectively?they aren’t just spammers,they pose a security risk as well,since they ask for github credentials to sign in