White-hat researchers have recently exploited the Force Push Scanner technique to uncover thousands of active secrets in GitHub repositories. Security researcher Sharon Brizinov used the tool to scan “deleted” (dangling) commits and discovered a trove of sensitive credentials, including admin access tokens for major projects like Istio.
Force Push Scanner is an open-source security tool designed to detect sensitive secrets (like API keys, credentials, and tokens) that have been accidentally committed to GitHub repositories and then “deleted” through a force push. Despite developers’ efforts to remove these secrets by rewriting history, the underlying commits (known as dangling commits) can remain accessible and pose a significant security risk.
How Dangling Commits Occur
- Force pushing (
git push --force) is often used to overwrite commit history, typically after a mistake such as committing a secret. - While the visible history is rewritten, the old commits are not immediately deleted from GitHub’s infrastructure. They become dangling—unreferenced by any branch but still retrievable if you know their hash.
- GitHub archives these events, making it possible for attackers or researchers to scan for and recover deleted secrets.
How the Scanner Works
- The tool leverages the GH Archive project, which logs all public GitHub events, including force push events that result in zero commits.
- It identifies these zero-commit push events and extracts the “before” commit hash, which points to the now-dangling commit.
- The scanner then analyzes the content of these commits for secrets using established detection engines (like TruffleHog).
Usage Highlights
- Download the precompiled database of force push events or query the public dataset on Google BigQuery.
- Scan any user or organization: Run the scanner locally to check for secrets within dangling commits across your repositories.
- Remediation: If secrets are found, rotate and revoke them immediately, as they may have been exposed even after deletion.
Real-World Impact
- White-hat researchers have used this method to uncover thousands of active secrets, earning substantial bug bounties and preventing major supply-chain attacks.
- Notably, one scan found a GitHub Personal Access Token (PAT) with admin rights to all Istio repositories, which could have led to a catastrophic supply-chain compromise if abused.
- Commonly leaked secrets include AWS credentials, database passwords, and GitHub tokens—often left by inexperienced developers or overlooked during cleanup.
Why This Matters
- Deleting a commit does not guarantee security. Secrets in dangling commits can be recovered and exploited.
- Organizations should not rely solely on history rewriting for secret removal. Instead, they should:
Getting Started
- The Force Push Scanner is available as open source and can be found on GitHub.
- For a technical deep dive and real-world case studies, see the blog post by Sharon Brizinov in collaboration with Truffle Security.
