DigitalOcean APIs allow users to perform different types of operations on the DigitalOcean services. To use the API a key is needed (which is generated and provided by DigitalOcean).
The problem occurs when any developer by mistake pushes the key (used for production) in the Git repo. Especially in the case of the public repository, this can be very dangerous, because, by the time the developer or someone from the team notices the mistake, the key is used by some other user. It can destroy the full infrastructure for that project and may add some unexpected bills to the DigitalOcean Account.
To solve these types of issues, GitHub has a service/program named “GitHub secret scanning“.
DigitalOcean has recently joined the Github secret scanning program. Here are the benefits of this step:
- GitHub will scan all public repositories, and try to see if any secret keys related to the DigitalOcean service are published or not.
- If any secret is found then it will be flagged.
- DigitalOcean will be notified about the data leak, and then DigitalOcean can revoke the API key immediately.
- This will prevent data leaks and stop all issues caused by exposed data.
- GitHub will block any push in the repository if any token or key is detected (that matched some defined format), if advanced security is enabled. This will work on any public or private repository for advanced security customers.