DigitalOcean OAuth Refresh Token was found in the code of a private repository

[ox-barazouri]

• Category: Secret/PII Scan
• Policy Name: Secret in code
• Application Name: security tools / semgrep-community-rules
• Fix Link:
• Click here to see details in OX App:

Issue Description:

DigitalOcean OAuth Refresh Token was found in the code of a private repository.

Recommendations:

Please verify if the DigitalOcean OAuth Refresh Token in the code is in use. Then do the following: 1. If the secret is in use, please revoke it. 2. Moving forward, store secrets in an environment variable or secret manager. 3. Change the code to access secrets using the method chosen above. WARNING: The found DigitalOcean OAuth Refresh Token will still be visible in the Git History. Ensure it is revoked/disabled.

Aggregations:

File	Line	Match	Commit By	Open ticket day	Commit Message	Type	Merged by	Reviewers	Commit Date	Location	Parameter	Test	CVSS	Alert Link
semgrep-rules/generic/secrets/gitleaks/digitalocean-refresh-token.go	2	do_api_token = "dor_v1_bd1ebc2aada42ea89a27ae57a990************************************"	aviadlevy [email protected]		Add the fule repository with all files				2024-08-14 15:32:38

[echoix]

@ox-barazouri Seems something that someone inside OxSecurity can be able to respond, do you mind following up internally with them? I can't find the author in the autocompletion to tag him/her in.

[nvuillam]

chatting with @ox-barazouri to see what it is about :)