Kumar Ashwin

[email protected]
Events
talk

Hidden in Plain Sight: Large-Scale Exposure of Orphaned Commits on Major Git Platforms

Host
Nullcon Goa 2025
Location
Goa, India
Audience
Security Professionals, Developers, DevOps Engineers
Duration
45 minutes

In modern development, version control is essential—but hidden risks often lie within its architecture. Across GitHub, GitLab, and Bitbucket, dangling commits introduce a significant security vulnerability. These remnants—left behind when developers reset, modify, or delete files, believing sensitive data has been removed—persist within the repository history, containing secrets like API keys, credentials, and proprietary configurations. While the existence of dangling commits is not new, identifying and extracting sensitive information from them remains challenging.

In our research, we leveraged techniques allowing us to systematically identify and enumerate dangling commits, both within specific repositories and at scale across major Git platforms. This large-scale analysis uncovered alarming amounts of exposed secrets, revealing a widespread yet often overlooked security gap.

In this talk, we’ll discuss our methods for discovering these hidden risks, the engineering setup behind our at-scale analysis, and the challenges encountered along the way. We’ll conclude with practical solutions and best practices for preventing such exposures through effective repository hygiene. For organizations, this session is a crucial wake-up call to secure all aspects of their repositories—from visible code to hidden remnants—from silent but significant risks.

Slides

Slide 1
Slide 2
Slide 3
Slide 4
Slide 5
Slide 6
Slide 7
Slide 8
Slide 9
Slide 10
Slide 11
Slide 12
Slide 13
Slide 14
Slide 15
Slide 16
Slide 17
Slide 18
Slide 19
Slide 20
Slide 21
Slide 22
Slide 23
Slide 24
Slide 25
Slide 26
Slide 27
Slide 28
Slide 29
Slide 30
Slide 31
Slide 32
Slide 33
Slide 34
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
1 / 40

Recording