Are your Secrets Safe In Python?
Secrets and token stored as Python config or secrets file has a chance of being exposed via pyc files when commited to GitHub repository
On scrolling through Hackernews, I stumbled upon this article where Jesse points out how you or your organization can have secrets hidden in the form of pyc
files.
While Jesse's code has scrolled through Github repos and intimated the code owners, there is a good chance that our private repo could have some hanging around.
I modified the code to scroll through Saama's private repositories. Gladly I didn't find any pyc
files checked in.
You can use the same code to scroll through your private repositories.
Dependencies
Code
If you want to jump ahead to the whole code checkout the Github repo
Import necessary packages
Authenticate with Github
Create a private access token and use it to authenticate yourself
Get all repos given an organization
Find files with *.pyc extension
If there are no
pyc
files, you are good to go
If any
pyc
files might contain secrets decompile and print them out
Last updated