Nightfall Documentation
  • Data Detection and Response
  • Posture Management
  • Data Exfiltration Prevention
  • Data Encryption
  • Firewall for AI
  • Data Classification and Discovery
  • Welcome to Nightfall Documentation
  • Release Notes
    • Release Notes 2025
    • Release Notes 2021-2024
  • Introduction
    • Why Cloud DLP?
    • Introduction to Nightfall
    • Nightfall Overview
    • Cloud-native DLP vs. CASB
    • How Nightfall Works
    • Reasons to Choose Nightfall
    • Benefits of Nightfall
  • Compliance
    • How Nightfall Fits into Compliance Frameworks
    • ISO 27001 Compliance + DLP
    • SOC 2 Compliance + DLP
    • PCI Compliance + DLP
    • PHI Detector - More on Nightfall's HIPAA Compliance Detector
  • Getting Started
    • Installing Nightfall
  • Nightfall Detection Platform
    • Overview
    • Detectors
    • Choosing a Nightfall Detector
      • Compliance Use Cases
      • Data Protection Use Cases
    • Nightfall Detector Glossary
      • Secrets Detection
    • Creating Custom Detectors
      • Creating Dictionary Detector
      • Create File Type Detector
      • Create File Fingerprint Detector
      • Create Regular Expression Detector
      • Extend a Nightfall Detector
    • Create Detection Rules
    • Detection Platform Overview
    • Evaluating Detection
    • Creating Policies
      • Selecting Integration
      • Scope of the Policy
      • Detection Rules
      • Advanced Settings
      • Name and Risk Score
    • Historical Scan Detection Rules
    • Regex Library
    • Detection Platform FAQs
      • How can I reduce false positives in my findings?
      • What do different “Confidence Levels” mean?
      • What file types will Nightfall scan for sensitive data? What are the limitations?
      • How do I use Context Rules?
      • How do I use Exclusion Rules?
      • Does Nightfall have a regex library I can choose from?
      • Why does Nightfall sometimes miss to report SSN, credit card number, and so on?
      • Why does the Password Detector Report False Positive Zoom Password Findings?
  • Nightfall Detection & Policy Templates
    • Detection Rules
    • Nightfall Sample Data Sets
  • Dashboard and Events
    • Nightfall Dashboard
    • Sensitive Data Protection Events
      • Filtering Events
      • Event Filter Operators
      • Applying Actions on Events
      • Applying Bulk Actions on Events
      • Event Status
      • Deduplication and Automatic Resolution of Events
  • Setting up Alert Platforms
    • Nightfall Alert Platforms
    • Setting up Slack as an Alert Platform
    • Setting up Jira as an Alert Platform
    • Setting up MS Teams as an Alert Platform
  • Operationalizing Nightfall DLP
    • Playbook
    • Informing & Coaching Business Users
    • Alert Management Guiding Principles
    • Integrating with Security Tools
      • Integrating with SIEM
        • Integrating with Microsoft Sentinel
      • Creating Dashboards for Nightfall Alerts in Splunk
      • Creating Dashboards for Nightfall Alerts in Sumo Logic
      • Sending Alerts to Microsoft Teams
    • Frequently Asked Questions (FAQs) for End-Users
  • Nightfall Integrations
  • Nightfall for Slack
    • Nightfall for Slack: Quick Start
    • Getting Started With Nightfall for Slack
      • Requirements
        • Requirements for Nightfall DLP for Slack Enterprise
        • Requirements for Nightfall DLP for Slack Pro and Slack Business+
      • Installing Nightfall for Slack
        • Installing Nightfall DLP for Slack Enterprise
        • Installing Nightfall DLP for Slack Pro and Business+
    • Configure Alerts for Slack
    • Configuring Policies for Slack Pro and the Slack Business+ Editions
      • Slack Pro and Business+ App Selection
      • Configure Scope for Slack Pro and Slack Business+
      • Configure Detection Rules for Slack Pro and Slack Business+
      • Configure Automated Actions in Slack Pro and Slack Business+
      • Configure Advanced Settings in Slack Pro and Slack Business+
      • Risk Configuration in Slack DLP for Slack Pro and Slack Business+ Editions
      • Manage Events for Slack
    • Configuring Policies for the Slack Enterprise Edition
      • Slack App Selection
      • Configure Scope for Slack Enterprise
      • Select Detection Rules for Slack Enterprise
      • Configure Automated Actions in Slack Enterprise
      • Configure Advanced Settings for Slack Enterprise
      • Risk Configuration for Slack Enterprise
      • Manage Events for Slack Enterprise
    • FAQs
      • Can I redact sensitive message content in Slack?
      • Nightfall for Slack Pro vs Enterprise
        • Upgrading from Slack Pro to Enterprise
      • Can we customize the alert messages sent in Slack?
      • Can I Disable Detection in Private Channels or DMs?
      • What types of channels does Nightfall scan? Does Nightfall scan shared channels?
      • I am unable to view a sensitive message or file from the Nightfall alert channel.
      • Upon Slack installation, why am I seeing a 400 error mentioning a "Restricted Action"?
      • I send a sensitive message, edit it, and then admin applies the Redact action. What is the outcome?
      • How do I re-install Nightfall DLP for Slack Pro Edition?
      • How do I re-install Nightfall DLP for Slack Enterprise Edition?
  • Nightfall for GitHub
    • Getting Started
      • Requirements
      • Install Nightfall for GitHub
      • Configure Alerts for GitHub
    • Configure Policies for GitHub
      • GitHub App Selection
      • Configure Scope for GitHub
        • Use Regular Expressions to Exclude GitHub Directories
      • Configure Detection Rules for GitHub
      • Configure Advanced Settings for GitHub
      • Configure Risk Score for GitHub
    • Manage GitHub Events
    • Remediation on Nightfall for Github
  • NIGHTFALL FOR GOOGLE DRIVE
    • Getting Started
      • Requirements
      • Install Nightfall for Google Drive
      • Enable Google Drive Labels
      • Configure Alerts for Google Drive
    • Configure Policies for Google Drive
      • Google Drive App Selection
      • Configure Scope for Google Drive
      • Configure Detection Rules for Google Drive
      • Configure Advanced Settings for Google Drive
      • Risk Score for Google Drive
      • Manage Google Drive Events
  • Nightfall for Confluence
    • Getting Started
    • Install Nightfall for Confluence
      • Configure Alerts for Confluence
    • Configuring Policies for Confluence
      • Confluence App Selection
      • Configure Scope for Confluence
      • Configure Detection Rules for Confluence
      • Configure Advanced Settings for Confluence
      • Configure Risk Score for Confluence
      • Manage Confluence Events
    • FAQs
      • Page Restrictions
  • Nightfall for jira
    • Getting Started
    • Install Nightfall for Jira
      • Configuring Alerts for Jira
    • Configure Policies in Nightfall for Jira
      • Jira App Selection
      • Configure Scope in Nightfall for JIRA
      • Select Detection Rules in Nightfall for JIRA
      • Configuring Advanced Settings in Nightfall for JIRA
      • Configure Risk Score for Jira
      • Manage Jira Events
  • Nightfall for Microsoft 365
    • Getting Started
      • Microsoft 365 Requirements
      • Setting up Directory Sync
      • Setting up Microsoft Tenant
        • Update App Selection for a Registered Tenant
    • Nightfall for OneDrive
      • Configure Alerts for OneDrive
      • Nightfall Policies for OneDrive
        • OneDrive App Selection
        • Configure Scope for OneDrive
        • Configure Detection Rules for OneDrive
        • Configure Advanced Settings for OneDrive
        • Risk Score for OneDrive Policies
        • Manage OneDrive Events
    • Nightfall for Microsoft Teams
      • Configure Alerts for Microsoft Teams
      • Configure Policies for Microsoft Teams
        • Select Integration in Microsoft Teams
        • Configure Scope for Microsoft teams
          • Scope for Personal Chats
          • Scope for MS Teams Channels
        • Configure Detection Rules in Microsoft Teams DLP
        • Configure Advanced Settings in Microsoft Teams
        • Risk Score in Microsoft Teams Policies
        • Manage Microsoft Teams Events
  • Nightfall for Gmail
    • Overview
    • Install Nightfall DLP for Gmail
      • Configure Content Compliance Rules
        • Create Content Compliance Rule - Monitoring
        • Configure Content Compliance Rule - Quarantine
        • Configure Routing Rules - SMTP Relay Settings
    • Configure Alerts for Gmail
    • Nightfall Policies for Gmail
      • Gmail App Selection
      • Configure Scope for Gmail
      • Configure Detection Rules for Gmail
      • Configure Advanced Settings for Gmail
      • Configure Risk Score for Gmail
      • Manage Gmail Events
    • Remediation on Nightfall for Gmail
  • Nightfall For Salesforce
    • Overview
    • Getting Started
      • Install Nightfall DLP for Salesforce
      • Upgrade Nightfall DLP for Salesforce
      • Configure Alerts for Salesforce
    • Nightfall Policies for Salesforce
      • Salesforce App Selection
      • Configure Scope for Salesforce
      • Configure Detection Rules for Salesforce
      • Configure Advanced Settings for Salesforce
      • Risk Score for Salesforce
      • Manage Salesforce Events
    • FAQs
  • Nightfall for Zendesk
    • Getting Started
      • Requirements
      • Install Nightfall DLP for Zendesk
      • Configure Alerts for Zendesk
    • Configure Policies for Zendesk
      • Zendesk App Selection
      • Configure Scope for Zendesk
      • Configure Detection Rules for Zendesk DLP
      • Configure Advanced Settings in Zendesk
      • Risk Score for Zendesk
      • Manage Zendesk Events
  • Nightfall for Notion
    • Getting Started
      • Requirements
      • Steps
    • Install Nightfall for Notion
      • Verification of Notion Installation
    • Configure Alerts for Notion
    • Configure Policies for Notion
      • Notion App Selection
      • Configure Detection Rules for Notion
      • Configure Advanced Settings for Notion
      • Risk Score for Notion
      • Manage Notion Events
  • NIGHTFALL FOR Generative AI Applications
    • Overview
    • Install Nightfall for GenAI apps
      • Install Nightfall DLP on Individual Devices
      • Install Nightfall DLP Across Organization
    • Configure Alerts for GenAI apps
    • Creating GenAI Policies from Nightfall Console
      • AI Apps Selection
      • Configure Detection Rules for AI Apps
      • Configure Advanced Settings for AI Apps
      • Risk Score for AI Apps
    • Nightfall Browser Plugin Deployment Guide
    • GenAI Safe Usage and Data Protection Policy
  • Developer Section
    • Nightfall Firewall for AI
    • Nightfall Playground
  • Settings
    • Users and Roles
      • Authentication Options
    • Role Based Access Control (RBAC)
      • Security Analyst Role
      • Policy Manager Role
      • Security Events Manager Role
      • Security Operations Manager Role
      • System Administrator Role
    • Directory Sync
      • Add Microsoft Entra ID to Nightfall
      • Google Workspace Directory Service
      • Add Okta to Nightfall
    • Custom Branding
    • Customer Referral Program
  • Frequently Asked Questions (FAQs)
    • How long does it take to deploy Nightfall?
    • How do I deploy Nightfall?
    • What are some unique points about Nightfall that I should know?
    • Which languages does Nightfall support?
    • How does Nightfall yield time savings for my team?
    • Nightfall vs Legacy DLP: What's the difference?
    • How does Nightfall make my organization more secure?
    • Nightfall vs CASB: What's the difference?
    • Nightfall vs E-Discovery: What's the difference?
    • How does Nightfall classify data?
    • What types of data does Nightfall classify?
    • Does Nightfall scan unstructured data?
    • Does Nightfall require data to be already tagged?
    • How do I learn more about and test out Nightfall?
    • Using Service Accounts with Nightfall
    • Which permissions are required for each integration?
    • Where can I find active user counts for each SaaS application protected by Nightfall?
    • In the Atlassian Marketplace, why does it show that the Nightfall app is not approved in security?
    • How can I estimate the data volume that Nightfall needs to scan?
    • How can I check the Platform Status of Nightfall
  • Login to Nightfall
  • Contact Nightfall
Powered by GitBook
On this page
  • 1. Rotate Your Credentials
  • 2. Remove Historical References
  • 2.A. Review repo access permissions
  • 2.B. Rewrite git history
  • 3. Review Access
  • 4. Establish Your Workflow & Process
  • Triage Workflow
  • Notifying Collaborators
  • 5. Preventing Credential Exposure Going Forward
  • Use a visual program like GitHub Desktop or gitk to commit changes.
  • Use git commands in accordance with best practices.
  • Ignore files with sensitive information.
  • Store credentials safely.
  • Leverage safety controls provided by the third-party services issuing API keys.
  • Use temporary credentials with expiration dates if the service allows it.
  • Treat secrets equally. Protect dev/test secrets in addition to production secrets.
  • Avoid sharing credentials & secrets.
  • Code security training.
  • Scan GitHub repositories at different parts of the SDLC.
  • Need Help?

Was this helpful?

Export as PDF
  1. Nightfall for GitHub

Remediation on Nightfall for Github

Sensitive data like credentials pose a large risk when found in code repos. Read our guide to remediating these DLP risks in GitHub.

PreviousManage GitHub EventsNextGetting Started

Last updated 1 year ago

Was this helpful?

GitHub is a code versioning tool, which means that it preserves a full history of searchable code changes. Sensitive data can proliferate in these code changes and is not always easily discoverable.

Credentials & secrets that are hard-coded in GitHub repositories pose risk if repos are leaked or accessed via social engineering attacks, as they can provide access to infrastructure, databases, and third-party APIs. Likewise, sensitive data like customer PII can end up in code repos. This can raise significant security, compliance, and brand risk.

Nightfall automatically detects sensitive data in GitHub repos in real-time across any code push event to GitHub. With Nightfall’s context-rich detection results, you’ll be able to prioritize remediation efforts based on the type and location of sensitive data. However, git is a complicated protocol and because git is designed to be a full historical trail of commits, remediation is non-trivial. As a result, we’ve outlined best practices to remediate violations below.

1. Rotate Your Credentials

In their , GitHub states the following: “Once you have pushed a commit to GitHub, you should consider any data it contains to be compromised. If you committed a password, change it! If you committed a key, generate a new one.” Secrets such as API keys and cryptographic keys should be considered high priority risks.

If you have pushed credentials & secrets to a repo, your first step should be to immediately revoke the compromised credentials and generate new ones.

After doing so, please remember to update your application code or config/environment variables accordingly to ensure things continue to work with your new credentials. If your credentials are used by other developers or deployed in your infrastructure, make sure they all get a new version of it.

Most common services that issue API keys such as Twilio, Stripe, Twitter, etc. typically all have mechanisms to revoke a key and generate a new one. This can be found in the admin panel of their API consoles. If you have questions about how to rotate a specific service’s token, please reach out to Nightfall Support at and we would be happy to look into it.

2. Remove Historical References

2.A. Review repo access permissions

Simply because a GitHub repo is private doesn’t mean that sensitive data can or should be stored there safely. On GitHub, developers associate their personal GitHub accounts with their corporate organizations. This means that it can be easy for the lines to blur. You can your repos on GitHub.

Similarly, an organization’s repos can have collaborators from outside the organization. by navigating to your GitHub organization and clicking the People tab. From here, click Outside Collaborators to review who can access your organization’s repos. Consider removing or modifying access.

You can to each repository in your organization with granular permission levels, giving people access to the features and tasks they need. Likewise, you can for the repositories that your organization owns.

GitHub repos should only be made public when strictly necessary. If a repo is intended to be open-sourced, it should undergo a thorough code review to confirm no sensitive information or trade secrets are revealed. If a repo is public that shouldn’t be, you can make it private.

Navigate to your GitHub repository and click Settings. In the “Danger Zone” section, click “Make private” if the repository is public. If the repo is no longer necessary, click “Delete this repository” to permanently remove it.

2.B. Rewrite git history

If the sensitive data can be successfully rotated per above, it may not be necessary to rewrite git history. However, it may be helpful to go the extra mile to keep your repositories clean and avoid future fire drills if the credentials are discovered at a later point and it is unclear if the secret has been correctly rotated or not.

If the sensitive data cannot be rotated, for example PII, then rewriting git history is necessary.

There are two recommended methods for rewriting git history, the BFG Repo-Cleaner tool, which we describe below, and git filter-branch to which we’ve linked steps.

2.B.i. Using the BFG

$ bfg --delete-files YOUR-FILE-WITH-SENSITIVE-DATA

To replace all text listed in passwords.txt wherever it can be found in your repository’s history, run:

$ bfg --replace-text passwords.txt

After the sensitive data is removed, you must force push your changes to GitHub.

$ git push --force

3. Review Access

Various third-party services provide access logs describing when secrets & credentials are used or called. Where possible, review these access logs to determine if any exposed secrets or credentials had been leveraged. If so, you may need to undergo a deeper investigation around a potential security incident.

For example, Zendesk provides the following Activity portal for their API. If you identified that a Zendesk API key was leaked, you could subsequently check this portal to determine if there is any anomalous usage activity beyond what you would normally expect.

4. Establish Your Workflow & Process

If you are collaborating on code with others in your organization or have limited permissions, it may not be feasible to remediate the compromised secrets on your own or complete the steps outlined above. In this case, it’s beneficial to set up a process by which you can log compromised secrets and notify the responsible party who will be able to act on them.

Triage Workflow

Project management and bug tracking tools are good options for managing the process of remediating compromised credentials & secrets. For example, Jira and Linear. Consider creating tickets that include the following information so the Assignee has sufficient context:

  • Repository – e.g. nightfalldlp/sample

  • Commit reference – e.g. d3cce9f

  • File path – e.g. sample.py

  • Branch – e.g. main

Notifying Collaborators

When deciding who to notify and what to say in your message, it’s important to first consider the following:

  • Is the repo still actively used or maintained? If not, it may be best to advise the repo owner to archive or delete the repo.

  • Who committed the compromised credentials? The author who committed to secrets into the codebase may have the ability to follow the remediation steps above.

  • Who owns or manages the repo? Perhaps the original author of the commit that introduced the compromised credentials is no longer in your organization or has changed roles/responsibilities. In this case, it may be best to reach out to the repo’s owners or admins. You can see who has access to the repo by navigating to Settings then Manage Access.

5. Preventing Credential Exposure Going Forward

Now that you know what types of sensitive data tend to get exposed on GitHub and have begun to remediate these violations, you can be proactive about mitigating these risks moving forward via the following recommendations.

Visual programs generally make it easier to see exactly which files will be added, deleted, and modified with each commit.

Use git commands in accordance with best practices.

  • Avoid the catch-all commands git add . and git commit -a on the command line — use git add filename and git rm filename to individually stage files, instead.

  • Use git add --interactive to individually review and stage changes within each file.

  • Use git diff --cached to review the changes that you have staged for commit. This is the exact diff that git commit will produce as long as you don’t use the -a flag.

Ignore files with sensitive information.

Store credentials safely.

  • Use local environment or configuration variables so the application retrieves these variables dynamically instead of hard-coding them into files

  • Centralize credentials with a secrets management service “secrets as a service” solution

    • This prevents secret sprawl and allows for audit logging, however there is a cost to implementing and maintaining these solutions.

Leverage safety controls provided by the third-party services issuing API keys.

  • Services like Stripe, Twilio, SendGrid, Zendesk, etc. whose API keys you may be using may have different security controls you can take advantage of:

Use temporary credentials with expiration dates if the service allows it.

  • Enable IP allowlisting if the service allows it.

  • Restrict permissions associated with the key.

    • Certain services like SendGrid and Stripe have granular permissions management across API keys, similar to IAM roles on AWS:

Treat secrets equally. Protect dev/test secrets in addition to production secrets.

It’s easy to confuse dev/test secrets with production ones, and they can end up in the wrong environment – treat all credentials as if they are sensitive and high-risk to avoid this.

Avoid sharing credentials & secrets.

Tools like Slack and email make communication seamless, but that also means they can open up pathways for easily transmitting credentials & secrets and sprawling this information to more data silos.

Nightfall has native integrations to identify sensitive data in other applications such as Slack and Confluence, where sensitive data is commonly proliferated by developers.

Code security training.

As software development proliferates across every industry and use case, code security is more important than ever. Consider a formal training program or service to ensure developers understand the risk and best practices.

Scan GitHub repositories at different parts of the SDLC.

Need Help?

The is a tool that’s built and maintained by the open source community. It provides a faster, simpler alternative to git filter-branch for removing unwanted data. For example, to remove your file with sensitive data and leave your latest commit untouched, run:

See the ‘s documentation for full usage and download instructions.

An alternative method to BFG Repo-Cleaner would be via git filter-branch. This process is more involved and the steps are outlined by GitHub or in git documentation .

There are additional ways to modify git history, which you can review in git documentation for advanced & specific use cases: .

Link to the specific line of code on GitHub – e.g.

Use a visual program like or to commit changes.

Name sensitive files in .gitignore and .npmignore to avoid checking them into git. Learn more about .

Examples include , or .

provides multiple ways to scan for sensitive data in code repositories – in near real-time upon code commit to GitHub, historically across all code changes, upon Pull Request, and via a git-hook on the developer endpoint device. Reach out to our Support team to learn more about these options and determine what fits best in your SDLC.

Reach out to Nightfall Support at .

data security guide
support@nightfall.ai
view who can access
Check on this access
customize access
set base permissions
BFG Repo-Cleaner
BFG Repo-Cleaner
here
here
Git Tools – Rewriting History
https://github.com/nightfalldlp/sample/blob/master/sample.py#L2
GitHub Desktop
gitk
gitignore
AWS Secrets Manager
Hashicorp Vault
Square Keywhiz
Nightfall
support@nightfall.ai