Github prevents me by email : "We found your GitHub credentials in the metadata of this commit."

[johanmaia]

Select Topic Area

Question

Body

I received an email from Github after publishing a public repository including a symfony project.

"We found your GitHub credentials in the metadata of this commit"

... but it´s a project which works only on localhost for the moment.
I tried to find on the commit where could be my credentials without success.

Someone knows what I need to do ?

[aashah]

Hey @johanmaia does the email include a link? In markdown, it may have looked something like:

We found your GitHub credentials in [the metadata of this commit](LINK TO COMMIT HERE)

Could you check whether it is there? Your credentials won't be in the content of the commit either. This scan is looking at the metadata for the commit, such as the author name & email. If you look at the commit SHA provided in the email, you could run something like the following to verify whether your credentials were leaked:

$ cd repo-in-question
$ git show --format='%an - %ae | %cn - %ce' --quiet <commit-SHA>

Your credentials have already been revoked though, and you'll need to go through the process of generating a new password.

[johanmaia]

Hi @aashah, this is the link we are talking about : hive-4-apps/annuaire@dfc86fe

[johanmaia]

Do you know why at this moment my credentials was in the metadata ?

[aashah]

Do you know why at this moment my credentials was in the metadata?

I don't think I can answer that for you, all we know is that you made a public commit with your GitHub login credentials in the commit metadata. How you configured your local git configuration is impossible for me to say.

We first started scanning for these based on a bounty report from an external researcher. They found a variety of ways that users have been putting their GitHub login credentials in commit metadata. You can read more about there research here -- https://www.notgitbleed.com, and our Changelog which roughly says the same thing.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬