GitHub Code Commit
CodeCommit is a secure, highly scalable, managed source control service that hosts private Git repositories. SailPoint Entro identifies secrets exposed in committed code (as shown in the example below):

Step 1: Locate the Exposed Token with SailPoint Entro Platform
Use the link provided by SailPoint Entro to navigate directly to the GitHub repository where the token was exposed.
Step 2: Revoke or Rotate the Exposed Token
To remediate the issue, use the RIGOR workflow:
-
Redact Sensitive Information: Remove references to the exposed token from the affected code, files, or configurations in the GitHub repository. If sensitive data has been committed to the repository history, use Git’s filter-branch, BFG Repo-Cleaner, or GitHub’s Secret Scanning feature to remove it from the commit history.
-
Inform the owner about the token exposure so that the practice is not repeated.
-
Generate a new token if it is still needed and ensure it is securely stored, avoiding direct exposure in code, configuration files, or environment variables.
-
Organize and take notes throughout this process as they will be necessary for a future root cause analysis, response plans, etc...
-
Revoke any exposed tokens through the issuing service based on the token type provided by SailPoint Entro. Refer to Key Rotation Best Practices.
Step 3 (optional) : Use GitHub Secrets or External Secret Management
Consider using GitHub Secrets in GitHub Actions to securely manage sensitive information without hard-coding it in the repository.
Alternatively, integrate with an external secret management service such as AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault to securely store and access tokens and other sensitive data.
Step 4: Audit Access
Review GitHub’s audit logs and repository security settings to ensure that no unauthorized access occurred while the token was exposed.
Step 5: Monitor
Enable monitoring and set up Configuration notifications in GitHub or using external monitoring tools to notify you of any unusual activities related to repository access or sensitive data.