CISA's 844MB GitHub Leak Shows Secret Scanning Still Can't Fix Human Stupidity
You'd think after years of GitHub secret scanning, pre-commit hooks, and every security conference screaming about credential leaks, we'd be past this. Apparently not.
CISA—the Cybersecurity & Infrastructure Security Agency, the folks literally responsible for protecting America's digital infrastructure—just had 844MB of internal secrets sitting in a public GitHub repo called "Private-CISA" for six months. The name alone deserves a comedy award.
<> "This is as serious as a secrets leak gets," according to GitGuardian, who discovered this masterpiece of operational failure in May 2026./>
Let's unpack this beautiful disaster. The repo contained:
- AWS GovCloud administrative credentials (the good stuff)
- Files literally named
importantAWStokensandAWS-Workspace-Firefox-Passwords.csv - Kubernetes manifests exposing internal infrastructure
- ArgoCD application configs
- Terraform code showing exactly how CISA builds things
- GitHub personal access tokens
- Azure registry keys
Guillaume Valadon from GitGuardian found it on May 14, 2026. The repo had been public since November 13, 2025. Six. Whole. Months. GitGuardian even verified that some credentials could authenticate to three AWS GovCloud accounts at high privilege levels.
The Elephant in the Room
Here's what nobody wants to admit: all our fancy secret detection tools are fighting the wrong battle. GitHub has secret scanning. Push protection exists. Pre-commit hooks are standard practice. Yet here we are, with the nation's top cybersecurity agency's contractor casually hosting production credentials in a repo named with the subtlety of a neon sign.
The problem isn't technical—it's cultural. When your workflow allows someone to create a public repo called "Private-CISA" and dump 498MB of working files plus another 346MB in Git history without anyone noticing, your tooling has already lost.
CISA's response? "No indication that any sensitive data was compromised." Right. Because publicly accessible AWS credentials with admin privileges are totally fine as long as nobody provably used them maliciously. That's like saying your house key isn't compromised just because you can't prove anyone entered.
Beyond Basic Credential Theft
This wasn't just leaked passwords—it was a complete infrastructure blueprint. The Terraform configs, Kubernetes manifests, and ArgoCD files essentially provided a roadmap of CISA's internal systems. Any competent attacker could map out:
- Environment topology and naming conventions
- Service account relationships
- Internal endpoints and trust boundaries
- Deployment workflows and automation patterns
That's not credential theft—that's reconnaissance gold.
The Real Fix Nobody Wants to Implement
Secret scanning is reactive. By the time it detects something, the damage is done—especially in public repos where Git history is forever. The real solution?
1. Make it impossible to create public repos by default in organizational contexts
2. Require manual approval for any public repository creation
3. Rotate all credentials immediately when repos go public, regardless of content
4. Segment permissions so single credential leaks don't grant kingdom keys
But these require process changes, not just new tooling. And process changes are hard.
The Nightwing contractor responsible for this mess learned an expensive lesson about Git workflows. CISA learned that oversight matters. And the rest of us? We're reminded that human stupidity scales faster than our security tooling.
At least they didn't call it "Super-Secret-CISA-Do-Not-Look."
