Someone accidentally commits private AWS keys to an open-source project and ends up handing candy to a bitcoin miner. Once committed, these secrets are easily discoverable through GitHub Search, which makes this accidental disclosure additionally dangerous. To combat this and other threats to safe use of open source, Source Clear announced Commit Watcher, a recently open-sourced tool that finds interesting and potentially hazardous commits―both accidental credential leaks and undisclosed security patches.
The tool addresses two critical categories of issues found among open-source software that by nature are disclosed publicly but are also largely unknown. These are accidental disclosure of sensitive information (SSH keys, AWS credentials and so on) and security patches for vulnerabilities that are not explicitly disclosed. Companies can watch their own projects, public and private, for accidental disclosures and take remedial action as soon as possible. Commit Watcher is further backed by a comprehensive vulnerability database, SourceClear Registry, and complements SourceClear Open in the arsenal of products SourceClear has designed specifically for open-source developers.