I recently moved some of my repositories from AWS Code Commit to GitHub. I accidentally made one of the repositories public, instead of private. Within less than 10 mins of committing the code, I got an email from Stripe that my secret key is publicly accessible, and it included the exact file/code line which has the key.
How did this happen?
- Does GitHub detects existence of some sensitive info and informs the provider via some WebHook?
- Does Stripe keeps crawling new repositories for such leakages? It sounds practically impossible to detect so quickly.
I cannot get my head around what could have triggered this detection at Stripe's end. I was thrilling to see the action though. Of course I have rotated the secret key.
GitHub has a Secret Scanning Partner Program that organizations can join. They provide a pattern to GitHub and if a string matching it is found GitHub will automatically alert the partner.
I don't believe GitHub publishes a list of partners, but I would presume Stripe is a member of that program.