Presentation Material
Abstract
In modern development, version control is essentialābut hidden risks often lie within its architecture. Across GitHub, GitLab, and Bitbucket, dangling commits introduce a significant security vulnerability. These remnantsāleft behind when developers reset, modify, or delete files, believing sensitive data has been removedāpersist within the repository history, containing secrets like API keys, credentials, and proprietary configurations. While the existence of dangling commits is not new, identifying and extracting sensitive information from them remains challenging.
In our research, we leveraged techniques allowing us to systematically identify and enumerate dangling commits, both within specific repositories and at scale across major Git platforms. This large-scale analysis uncovered alarming amounts of exposed secrets, revealing a widespread yet often overlooked security gap.
In this talk, weāll discuss our methods for discovering these hidden risks, the engineering setup behind our at-scale analysis, and the challenges encountered along the way. Weāll conclude with practical solutions and best practices for preventing such exposures through effective repository hygiene. For organizations, this session is a crucial wake-up call to secure all aspects of their repositoriesāfrom visible code to hidden remnantsāfrom silent but significant risks.
AI Generated Summary
The talk examined the security risk posed by dangling commitsāGit commits orphaned from any branchāacross major Git platforms. Dangling commits persist after actions like force pushes or branch deletions and are not automatically scanned for secrets by platform services.
A large-scale study analyzed over 5.4 billion GitHub commits using historical event data and the Branch commit endpoint to identify orphaned commits. After filtering, 66 million dangling commits were found, containing approximately 500,000 verified secrets, including cloud provider credentials, API tokens, and Docker Hub keys. The research revealed that 22% of dangling commits occur on Fridays, with major technology firms among the top contributors. Crucially, standard remediation tools like git filter-repo often fail to remove these commits from remote platforms; manual deletion requests to the hosting service are typically required.
The primary technical challenge is that dangling commits are invisible in standard repository views, creating a blind spot for secret scanning. Practical mitigations include implementing pre-commit hooks, branch protection rules, and continuous monitoring for orphaned commits. For self-hosted Git systems, administrators can enforce stricter server-side controls, though this adds operational overhead. Ultimately, developer education on secure commit hygiene is critical, as public repositoriesāincluding personal onesāremain outside organizational control. The findings underscore that secret exposure in dangling commits represents a persistent, under-visible attack surface requiring both technical and behavioral defenses.