How to ensure you don’t have Sourcegraph secrets in source code

On August 30, 2023, Sourcegraph's Head of Security revealed that a hacker gained administrative access to Sourcegraph and may have accessed user information. The breach occurred when a Sourcegraph engineer accidentally committed code containing an active site-admin token with extensive privileges. A malicious user exploited the exposed credentials to create a proxy application granting free access to Sourcegraph APIs, resulting in 2 million views within hours. The exposure affected Sourcegraph.com's public code only, and while data was potentially accessed, its extent remains uncertain. Arnica has introduced a custom validator for Sourcegraph tokens as part of their secrets detection and validation service, which can help prevent similar issues by alerting developers to the presence of secrets in source code and offering assistance in removing them.