Mitigating leaked personal access tokens (PATs) found on GitHub public repositories

pazand

Product Manager

Personal access tokens (PATs) make it easy to integrate your tools with Azure DevOps or extend Azure DevOps functionality for your business needs. However, like other authentication credentials, personal access tokens need to be stored securely. Leaked tokens could compromise your Azure DevOps account and data, putting your applications and services at significant risk.

One all too common threat is accidentally checking your personal access tokens into your repositories.

GitHub is the home for all developers on the planet to host their projects, contribute to open source and leverage the power of the community to achieve their goals faster. However this means that secure credentials like personal access tokens checked into public repositories on GitHub are susceptible to even more risk, particularly since malicious actors are always scanning these public repositories for opportunities.

I am excited to announce that the Azure DevOps security team, in collaboration with our partners at GitHub, will begin to scan for Azure DevOps personal access tokens (PATs) checked into public repositories on GitHub. When our team discovers a leaked token, we’ll immediately send a detailed email notification to the token owner, log an event to your Azure DevOps Organization’s Audit Log and revoke the token on your behalf.

Please comment below if you have any questions or concerns!

Author

pazand

Product Manager

Parsa is a Product Manager on the Azure DevOps team.

10 comments

Discussion is closed. Login to edit/delete existing comments.

Paul Williams May 5, 2021 · Edited
Newbe:

That is extremely good news for security. However, I am now unsure now how to publish nuget packages, without leaking token/key/whatever, if my nuget.config cannot contain the token/key.

All examples / tutorials I have seen say to include (in nuget.config) an entry such as:
<code>

For example: https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-nuget-registry

If I follow these examples, then GitHub will revoke my token as soon as I check-in my code.

In fact, I had a private repo that was working fine, but as soon as I made it public my token was revokened as it was contained within the nuget.config file.

Some basic instructions would help here, or links...
Read more
Newbe:

That is extremely good news for security. However, I am now unsure now how to publish nuget packages, without leaking token/key/whatever, if my nuget.config cannot contain the token/key.

All examples / tutorials I have seen say to include (in nuget.config) an entry such as:
```
add key="ClearTextPassword" value="ghp_KEY"
```
For example: https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-nuget-registry

If I follow these examples, then GitHub will revoke my token as soon as I check-in my code.

In fact, I had a private repo that was working fine, but as soon as I made it public my token was revokened as it was contained within the nuget.config file.

Some basic instructions would help here, or links to further information, would be greatly appreciated.

Many thanks.
Read less
Steve Hansen March 11, 2021

Does this work at the commit level or just the latest source? Like when a commit would have a token, and then another commit to remove it, but it would still be leaked in the history of that repository.
- pazand Author March 19, 2021
  
  This works on commit.
Sachin Patil March 10, 2021

Thanks a lot for sharing. Really amazing blog. I learnt a lot

Best Regards
Sachin Patil
Maciej Porebski March 10, 2021

It would be great to see this extended to Azure Repos in the future, ideally even adding ability to block tokens from being pushed to repos 🙂
- pazand Author March 19, 2021
  
  Thanks for the feedback! This is definitely something we want to do! Check our Feature Timeline for any public commitments.
- Travis F. March 10, 2021
  
  Yes please!