Automate revocation of GC Notify API keys detected in public github repos
Closed this issue · 2 comments
andrewleith commented
Description
As a Notify Security Dev, I need to be able to revoke an API key immediately if it is found in a public repo, so that I can ensure GC Notify isn't used by an unauthorized third party.
WHY are we building?
- Increase the security of GC Notify
WHAT are we building?
- API endpoint to automatically revoke an API key
VALUE created by our solution
- Protect all of GC Notify by disabling API keys that were accidentally made public
Documentation and Artifacts
- Create a secured/authenticated endpoint that allows for an API key to be revoked
Acceptance Criteria
- Github or SRE is able to call this method when an API key is detected in a public repo
- Generate an audit trail so invocations of this method can be tracked
- Generate an alert when this method is called
Related Research Airtable records
- (Ping Adrianne to add stuff here or find stuff yourself)
QA Steps
- Tested in a realistic production scenario
yaelberger-commits commented
@jzbahrai is this card redundant with the other one we have in progress now?