GitHub Pull Request
Step 1: Locate the Exposed Token with SailPoint Entro Platform
Use the link provided by SailPoint Entro to navigate directly to the GitHub Pull Request where the token was exposed. Identify the specific files, comments, or code snippets in the Pull Request that contain the exposed token. Review the changes, discussions, and commit history to locate the sensitive data.
Step 2: Revoke or Rotate the Exposed Token
To remediate the issue, use the RIGOR workflow:
-
Redact Sensitive Information: Edit or remove the exposed token from the affected files or comments in the Pull Request. If possible, update the PR to replace the token with references to securely stored tokens. Push new commits to the Pull Request that remove the exposed token from the code or configurations. If sensitive data has been committed to the repository history, use Git’s filter-branch, BFG Repo-Cleaner, or GitHub’s Secret Scanning feature to remove it from the commit history.
-
Inform the owner about the token exposure so that the practice is not repeated.
-
Generate a new token if it is still needed and ensure it is securely stored, avoiding direct exposure in code, configuration files, or environment variables.
-
Organize and take notes throughout this process as they will be necessary for a future root cause analysis, response plans, etc...
-
Revoke any exposed tokens through the issuing service based on the token type provided by SailPoint Entro. Refer to Key Rotation Best Practices.
Step 3 (optional) : Use GitHub Secrets or External Secret Management
Consider using GitHub Secrets in GitHub Actions to securely manage sensitive information without hard-coding it in the repository.
Alternatively, integrate with an external secret management service such as AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault to securely store and access tokens and other sensitive data.
Step 4: Update GitHub Workflows to Access Secrets Securely
-
Update GitHub Actions workflows and scripts associated with the Pull Request to access sensitive data from GitHub Secrets or external secret management systems.
-
Modify workflows to fetch secrets dynamically during runtime, ensuring that sensitive data is handled securely without being hard-coded in the code or Pull Request.
Step 5: Audit Access
Review GitHub’s audit logs, Pull Request history, and repository security settings to ensure that no unauthorized access occurred while the token was exposed.
Step 6: Monitor
Enable monitoring and set up Configuration notifications in GitHub or using external monitoring tools to notify you of any unusual activities related to Pull Request access or sensitive data exposure.
By following these steps, you can effectively manage the exposed token detected by SailPoint Entro in a GitHub Pull Request, ensuring secure handling of sensitive information and enhancing the overall security of your code review process.