GitLab scan finds 17,000 secrets in public repos, leading to $9000+ in bounties
13 days ago
- #Secrets Scanning
- #GitLab
- #Bug Bounty
- Scanned 5.6 million public GitLab repositories using TruffleHog, finding over 17,000 verified live secrets.
- Earned over $9,000 in bounties by responsibly disclosing the findings.
- GitLab has nearly twice as many public repositories as Bitbucket but three times the number of exposed secrets.
- Google Cloud Platform (GCP) credentials were the most frequently leaked secret type.
- Found 'platform-locality' evidence: GitLab-specific credentials were 25x more likely to leak on GitLab than on Bitbucket.
- Automated the scanning process using AWS Lambda and SQS, completing the scan in about 24 hours.
- Used an LLM (Claude Sonnet 3.7) to automate triage and disclosure processes.
- Disclosed findings to over 120 organizations and worked directly with 30+ SaaS providers.
- Discovered secrets dating back to 2009, highlighting the 'Zombie Secret' problem.
- Key takeaway: Large-scale scanning is essential for identifying and mitigating high-impact exposures.