From 6f9caee93c182e05db13efda58ec62535c98646f Mon Sep 17 00:00:00 2001 From: Tom Piccirello <8296030+Piccirello@users.noreply.github.com> Date: Thu, 13 Nov 2025 14:47:29 -0800 Subject: [PATCH] feat: Count the number of keys identified by GitHub secrets scanning (#41491) --- posthog/api/github.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/posthog/api/github.py b/posthog/api/github.py index d242d044f6..b988f689c4 100644 --- a/posthog/api/github.py +++ b/posthog/api/github.py @@ -8,6 +8,7 @@ import requests from cryptography.exceptions import InvalidSignature from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ec +from prometheus_client import Counter from rest_framework import serializers from rest_framework.exceptions import ValidationError from rest_framework.parsers import JSONParser @@ -24,6 +25,15 @@ from posthog.tasks.email import send_personal_api_key_exposed GITHUB_KEYS_URI = "https://api.github.com/meta/public_keys/secret_scanning" TWENTY_FOUR_HOURS = 60 * 60 * 24 +PERSONAL_API_KEY_LEAKED_COUNTER = Counter( + "github_secrets_scanning_personal_api_key_leaked", + "Number of valid Personal API Keys identified by GitHub secrets scanning", +) +PROJECT_SECRET_API_KEY_LEAKED_COUNTER = Counter( + "github_secrets_scanning_project_secret_api_key_leaked", + "Number of valid Project Secret API Keys identified by GitHub secrets scanning", +) + class SignatureVerificationError(Exception): pass @@ -159,6 +169,9 @@ class SecretAlert(APIView): # roll key key, _ = key_lookup old_mask_value = key.mask_value + + PERSONAL_API_KEY_LEAKED_COUNTER.inc() + serializer = PersonalAPIKeySerializer(instance=key) serializer.roll(key) send_personal_api_key_exposed(key.user.id, key.id, old_mask_value, more_info) @@ -169,6 +182,8 @@ class SecretAlert(APIView): # TODO send email to team members result["label"] = "true_positive" + PROJECT_SECRET_API_KEY_LEAKED_COUNTER.inc() + except Team.DoesNotExist: pass