search on Github for all commits signed by a given GPG or SSH key #112411
Unanswered
monperrus
asked this question in
Code Security
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Select Topic Area
Product Feedback
Body
I would like to suggest a feature enabling searching for commits signed by a specific GPG or SSH key.
This is important for tracing the critical open source software supply chain.
Reputation Analysis: If the key is associated with a specific developer, you can use this information to assess the developer's reputation based on past contributions.
Risk Analysis: If the key is associated with a company, the company may want to understand the extent of its open source contributions for risk management purposes. For instance, if many critical projects depend on code committed by that key, it could represent a risk if the keyholder were to leave the company.
Identifying Leaked Keys: If a private GPG or SSH key is leaked, it could be used to sign malicious commits. By being able to search for all commits signed by a given key, you could identify any unexpected or unauthorized usage of the key. This would allow you to respond quickly to a potential security incident, by revoking the key
and investigating any suspicious commits.
Beta Was this translation helpful? Give feedback.
All reactions