CRZ-009
41+ secrets in public GitHub repos (AWS key, admin tokens, TLS keys)
high
CVSS 3.1: 9.3 · Asset: corezoid/helm + corezoid_ansible_roles
- Severity: High (Critical-adjacent — depends on whether leaked secrets are still live)
- CVSS 3.1:
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L→ 9.3 if any leaked secret is still valid; 6.5 if all are rotated - CWE: CWE-798 (Use of Hard-coded Credentials), CWE-540 (Inclusion of Sensitive Information in Source Code), CWE-200
- Asset:
github.com/corezoid/helm(PUBLIC),github.com/corezoid/corezoid_ansible_roles(PUBLIC),github.com/corezoid/terraform(private — lower blast radius) - Discovered: 2026-04-26
- Status: Open — rotate every secret listed below immediately
Summary
Gitleaks scanning of the full git history across 3 Corezoid
repositories surfaced 41+ secret-shaped strings
including RSA private keys, AWS access keys, admin bearer
tokens, database passwords, and TLS private keys. Two of the
repositories (helm, corezoid_ansible_roles)
are public on GitHub, meaning the leaked content is
permanently indexed, archived, and searchable by any attacker (Wayback
Machine, GitHub Archive, HIBP-style services, and automated
credential-harvesting bots).
Repository visibility
| Repo | Visibility | Secrets in history | Exposure |
|---|---|---|---|
corezoid/helm |
PUBLIC | 26 (over 293 commits) | Worldwide, permanent |
corezoid/corezoid_ansible_roles |
PUBLIC | 15 (over 93 commits) | Worldwide, permanent |
corezoid/terraform |
Private | 8 | Limited to org members + GitHub |
Leaked secrets inventory (non-exhaustive)
helm (public) — 26
findings
| File | Line | Commit | Secret | Likely purpose |
|---|---|---|---|---|
corezoid/values.yaml |
707 | 45ec3008 | AKIAYQAMCNBUQ3PY5FO3 |
AWS Access Key ID (IAM user) |
corezoid/values.yaml |
727 | 45ec3008 | ungoh3mohM3valu6Zu1ohdiighie1EemoophaequohMoov |
Admin bearer token secret |
corezoid/tls-cert/ingress/ingress-tls.key |
1 | 4b120513 | -----BEGIN PRIVATE KEY----- |
TLS private key (ingress) |
corezoid/tls-cert/rabbitmq/tls-cert.key |
1 | 4b120513 | -----BEGIN PRIVATE KEY----- |
TLS private key (rabbitmq) |
corezoid/charts/rabbitmq/README.md |
128 | 45ec3008 | -----BEGIN RSA PRIVATE KEY----- |
RSA private key (pasted in README) |
corezoid/charts/ingress-nginx/templates/default-server-secret.yaml |
3,10 | ccedacb0 | TLS cert + RSA private key | Default ingress TLS |
corezoid/values.yaml |
575 | 5de4f71a | QW4s20Vobe7_QuqzKViGC |
API key / token |
corezoid/values.yaml |
363 | 5b93ba99 | I9EmB170XUbe |
API key / token (reappears in multiple commits) |
corezoid/values.yaml-orig |
188, 353 | c81e1498 | 0PqNKlo0QH30dcYNGUqzYj2QnQuSDGsd,
I9EmB170XUbe |
Secret tokens |
corezoid/values.yaml |
348 | e9cd54f4 | QIsV6w4HaVwNkIvJvHvrS9i9JhNDEGzi |
Secret token |
corezoid/charts/capi/templates/capi-configmap.yaml |
993 | 23ce121f | ZY8bwLJDYouuApi2ENxlup6kqShnhk3U |
Secret token |
corezoid/charts/postgres/files/3.5/init/add_admin.sql |
29,30,33,34 | ccedacb0 | NE4wzHnodH9sbTeEfNaxDx23scM0ZaLS76xBiSIBhqT7EL4M3e |
Postgres admin password |
Example: the AWS key ID AKIAYQAMCNBUQ3PY5FO3 is visible
at corezoid/values.yaml:761 in the current
tree (not just history), adjacent to
secretAccessKey: "" — meaning the secret is expected to be
populated at deploy time. If the key ID is real, an attacker with a
leaked secretAccessKey (from any channel) can use this pair
directly.
corezoid_ansible_roles
(public) — 15 findings
| File | Secret | Likely purpose |
|---|---|---|
roles/{capi,conf_agent_server,front_capi}/templates/corezoid-demo.pem.j2 |
RSA private key | Demo/customer key — reused across 3 roles |
roles/marketplace-deepmemo/.../server.key |
RSA private key | Server key in Ansible tree |
vars/box-credentials.yml:13 |
di0jei3Tiefaipaih3ui2e23e23e2e25Aa7 |
Box credentials (likely box.yml deployment vars) |
vars/box.yml:329 |
xvq8rZXyL9JzwcIFiioDCx0lCpG75wa5Nld6EKMFAOhfjeVWJr |
Long random token |
roles/postgresql/templates/reset_password.sh:11 |
ohy8ooj5sabathe4Iquoogu9phoh1soo |
DB reset password |
roles/postgresql_asw_marketplace/files/5.7_old/init/accounts.sql:99 |
CvWWucKadWJeJXFH8UfcU2qeIBeu1NRa |
Marketplace accounts seed |
roles/single_account/create:196 |
kMuurBTalvzl6CmplNa2A8boQhhC4GVi |
Single-account init secret |
roles/{capi,sync-api,api-multipart,postgresql,postgresql-rds}/README.md |
various | README-pasted passwords |
Live-key validation
Performed:
- Compared SHA-256 fingerprint of committed
ingress-tls.keypublic key against live*.corezoid.comcert: NO MATCH (b0ea83a9...vs live021605b2...). The leaked key is not currently deployed. Good.
NOT performed (requires customer action):
- AWS IAM audit — confirm whether
AKIAYQAMCNBUQ3PY5FO3is still active or has been deactivated - Postgres credential rotation audit
- RabbitMQ credential rotation audit
- Historical log analysis for any successful auth using leaked creds
Impact
If any leaked credential is still live:
- AWS: account takeover (depending on IAM permissions of that user)
- Admin bearer token: unauth admin access to whatever service accepts it
- Postgres admin: full database compromise (customer data, user passwords, workflow secrets)
- TLS keys: if re-issued from the same key, full TLS impersonation
Even if all are rotated:
- Attackers know your internal naming conventions, infrastructure topology, tooling choices
- Future leaks (even of obfuscated secrets) become easier to correlate back to real credentials
- Public visibility damages security reputation and invites continued automated scanning
Remediation
Priority 1 — immediate (within 24h):
- Rotate every listed secret. Treat all 41+ as compromised.
- Revoke
AKIAYQAMCNBUQ3PY5FO3in AWS IAM. Audit CloudTrail for any usage of that key over the last 365 days. - Rotate all database passwords referenced in
add_admin.sql,reset_password.sh, and any seed SQL files. - Revoke and re-issue any TLS certificates whose private keys appear in git history — even if currently unused. Ensure certificate transparency logs have no active certificates matching the compromised public keys.
- Rotate the
admin_bearer_token_secretinvalues.yaml:781.
Priority 2 — within 1 week:
- Scrub git history using
git filter-repoor BFG Repo-Cleaner, then force-push. (Note: old history remains in forks, GitHub's reflog for ~90 days, and external archives forever — rotation is primary defense, history-rewrite is secondary.) - Install pre-commit secret-scanning hooks (gitleaks, detect-secrets) for every Corezoid repo.
- Enable GitHub secret scanning alerts + push protection (Settings → Code security).
- Enforce AWS key-rotation policy (90 days max, automated via IAM).
- Audit
corezoid_ansible_rolescorezoid-demo.pem.j2— confirm whether "demo" keys are used in any customer-facing demo environment. If yes, rotate; if never-deployed, delete the template.
Priority 3 — systemic:
- Migrate
helmandcorezoid_ansible_rolesto private if any real customer deployment ever uses them. Public Helm charts are a legitimate pattern (e.g.,bitnami/charts), but only when they contain zero secrets and zero internal references. - Separate secrets into a vault (Vault, AWS Secrets Manager, Sealed Secrets). Helm values should reference secrets by name, never contain them.
- Org-wide secret-scan baseline — run
trufflehog --only-verifiedagainst every repo, including archived ones. - Developer training — the
README.mdpastes of private keys suggest no one realized they shouldn't document config that way.
References
- CWE-798, CWE-540, CWE-200
- GitHub secret scanning
- Gitleaks — detecting secrets
- BFG Repo-Cleaner
- AWS IAM key rotation best practices