tutorial icon indicating copy to clipboard operation
tutorial copied to clipboard

Published 20 hours ago verified publisher icon DjangoGirls

Warning email from GitGuardian about SECRET_KEY

Open jwhitlock opened this issue 4 years ago • 29 comments

In the "Deploy!" section, when the project is pushed to GitHub, an email "[username/my-first-blog] Django Secret Key exposed on GitHub" is sent to the repo owner from [email protected]. It does not seem that this is an official GitHub feature, but a unsolicited email from a hungry startup.

Here's my version of the email:

GitGuardian has detected the following Django Secret Key exposed within your GitHub account.

Details

  • Secret type: Django Secret Key
  • Repository: jwhitlock/djangofest-2020
  • Pushed date: 2020-11-14T18:50:11+0000

[[ Protect Your GitHub Repos]]

GitGuardian is an automated secrets detection service trusted by 150,000 developers worldwide.

The phrase "Protect Your GitHub Repos" is a call-to-action button that takes you to a GitHub authorization screen to add the GitGuardian service to your account. I signed up, and there was no useful advice about how to solve the issue easily available. They have some blog articles:

  • https://blog.gitguardian.com/secrets-api-management/ - generic "best practices" advise, including to sign up for their service, but not specific to SECRET_KEY.

If this company continues doing this, it would affect any student regardless of language or operating systems.

This caused some distress for the students and a lot of discussion among the coaches.

I'm not sure what the solution should be. It may be enough to say "you may get this email, and should ignore it for now". Another possible solution is to use python-dotenv as suggested by pythonanywhere, and walk students through those changes in the tutorial. Or, it may be enough to mention the Django deployment checklist, linked in the generated settings.py.

jwhitlock avatar Nov 14 '20 21:11 jwhitlock

i have got the same message but from weather api secret

nandish1199 avatar Jul 24 '21 18:07 nandish1199

I got the same and you helped us

waseyhasankhan avatar Feb 12 '22 03:02 waseyhasankhan

got same message when I pushed changed to remote github repo. help ?

aman-ghanghor avatar Apr 21 '22 12:04 aman-ghanghor

You can just ignore that message. (I'd write "You can safely ignore that message", but that wouldn't be quite true, as the message is indeed right that publishing the SECRET_KEY on GitHub is unsafe. However it's what the tutorial currently instructs you to do for simplicity, so just be aware that you should not do it that way for production deployments.)

das-g avatar Apr 21 '22 13:04 das-g

Thank you very much. I had a similar message and I clicked on fix the secret leak, but before authorizing it it seemed strange to me and when looking for information it came out your warning :) . Anyway if you look at the github icon the link is different too. image image or in dark mode image

Marderon123 avatar May 29 '22 11:05 Marderon123

I got the same message, is there a way of fixing this...???

jayumaks avatar Oct 14 '22 03:10 jayumaks