How Microsoft is helping you NOT screw up your Azure Secrets on GitHub
OK, so you are building this awesome cloud application and running it on Azure. You are doing a great job of using source control and then one day, without even thinking about it you check in code and configuration that includes... yep... production credentials for Azure services.
It happens. Far too much I am afraid. I won't get into lecturing on how DevOps should be doing a better job by using Azure Key Vault to secure production credentials and configurations. Instead I am going to refer you to this article that discusses how to manage Azure Secrets on GitHub Repositories.
An increasing number of developers across the globe use GitHub to host their projects, and many of them use GitHub public repositories for their open source work. While this is a great way to contribute and leverage the power of the community, it does come with a unique set of responsibilities. Particularly around managing credentials and other secrets.
Examples of Azure secrets are authentication credentials that should not be made public. These include things such as passwords, private keys, database connection strings, and storage account keys that are managed by Azure tenants.
To help protect us from ourselves, Azure runs Credential Scanner aka CredScan. CredScan monitors all incoming commits on GitHub and checks for specific Azure tenant secrets such as Azure subscription management certificates and Azure SQL connection strings.
Upon detection of an exposed secret, the Azure subscription owner gets notified via email from Microsoft’s Cyber Defense Operation Center (CDOC). The email notifies users on which commits have an issue, along with their affected subscriptions, assets, secret type and guidance on how to fix the exposure.
Does it work? Well, Microsoft reports that thousands of customers have been notified since the detection was put in place, resulting in further securing customer applications and Azure assets.
Be smart. Don't check in Azure Secrets. But if you do, know Microsoft has your back.
(And threat actors will have your keys... for a short period of time.)