CISA Contractor Fails OpSec: AWS GovCloud Keys on GitHub

Saw the KrebsOnSecurity piece today about the CISA contractor leaking GovCloud keys. It’s honestly ironic—the agency leading US cyber defense getting bitten by the oldest mistake in the book: hardcoded credentials. We talk endlessly about supply chain security, but sometimes the weakest link is just a git push without a pre-commit hook.

If you haven't checked your own orgs lately, now is the time. For AWS specifically, you want to be scanning for patterns matching AKIA[0-9A-Z]{16}. I usually run trufflehog or gitleaks in CI/CD pipelines, but local scans help too.

Here is a quick example of a basic gitleaks scan command you can run on your repos:

gitleaks detect --source ./my-repo --verbose --report-format  --report-name leak-report.


Or if you prefer Python and want to scan a specific directory for common AWS patterns:

import re
import os

aws_pattern = r'AKIA[0-9A-Z]{16}'

for root, dirs, files in os.walk('.'):
    for file in files:
        if file.endswith('.py') or file.endswith('.js'):
            path = os.path.join(root, file)
            with open(path, 'r', errors='ignore') as f:
                content = f.read()
                if re.search(aws_pattern, content):
                    print(f"Potential key found in: {path}")

The bigger headache for CISA right now isn't just the leak; it's the credential rotation in GovCloud. That environment has strict compliance requirements.

How are you all handling secret scanning? Are you relying on native GitHub advanced security, or do you have self-hosted solutions?