I use Github for DaniWeb's code base. I was just wondering though. How secure is it? Would you ever store passwords or other sensitive information in Github (Don't worry. We use .gitignore.)? What about code that could be considered a trade secret, or that type of thing?
Dani 4,675 The Queen of DaniWeb Administrator Featured Poster Premium Member
Recommended Answers
Jump to PostGiven who owns github (M$), and their location (U$A), I wouldn't trust anything commercially sensitive with them.
Why do you even need it, apart from the simple convenience of it all (that's the trap, make the honeypot sweet enough, plenty will arrive). There's not much there that can't be replicated …
Jump to PostI don't trust any online service to store my information, sensitive or otherwise, other than whatever password I use to access a particular site. And I assume (mistake, probably) that they keep only the encrypted copy of the password. I saw an ad a while back (I think it was …
Jump to PostNo sensitive info in any CVS. If I had a codebase such as DW, I'd store it in a local git store, synced to another machine of mine. No cloud.
All 10 Replies
rproffitt 2,701 https://5calls.org Moderator
Given the state of affairs in the USA, any security we thought we had is gone.
DOGE is gaining access by force now.
Do we really need this conversation?
Salem 5,265 Posting Sage
Given who owns github (M$), and their location (U$A), I wouldn't trust anything commercially sensitive with them.
Why do you even need it, apart from the simple convenience of it all (that's the trap, make the honeypot sweet enough, plenty will arrive). There's not much there that can't be replicated on a server machine you physically control.
How many people have commit rights on your codebase?
Every contributor has a complete copy of the entire git repo. So even if you lost everything, you can sync with any of your peers and be back up and running to the point of your last push.
Reverend Jim 5,225 Hi, I'm Jim, one of DaniWeb's moderators. Moderator Featured Poster
I don't trust any online service to store my information, sensitive or otherwise, other than whatever password I use to access a particular site. And I assume (mistake, probably) that they keep only the encrypted copy of the password. I saw an ad a while back (I think it was on Ask Woody) for a service that offered to keep all your financial information securely (yeah, right) so that your loved ones would have access in the event of your death.
"Extended warranty. How can I lose?" (Rob - you may have to dig a little for this one).
Dani 4,675 The Queen of DaniWeb Administrator Featured Poster Premium Member
There's not much there that can't be replicated on a server machine you physically control.
Redundancy in the cloud.
How many people have commit rights on your codebase?
Every contributor has a complete copy of the entire git repo. So even if you lost everything, you can sync with any of your peers and be back up and running to the point of your last push.
Just me. At different points in time over the past 20+ years, it has been a different combination of 3 people. (Narue aka deceptikon helped for a little bit many years ago, but he hasn't been around in years and years. And then there was a freelancer from Upwork that I recruited help from for a little bit a long time ago when I was feeling very overwhelmed with my workload.) These days, it's just me.
pritaeas 2,211 ¯\_(ツ)_/¯ Moderator Featured Poster
No sensitive info in any CVS. If I had a codebase such as DW, I'd store it in a local git store, synced to another machine of mine. No cloud.
Salem 5,265 Posting Sage
TBH, if it's "just me", then password protected tarballs of your .git directory, uploaded to one of the more trustworthy sites might be an option. I wouldn't touch google/onedrive with a barge-pole. Dropbox maybe at a pinch. Personally, I use https://mega.io/
If your DW hosting provider gives you access to filespace outside of the www root hosting daniweb.com, then that would seem to be a good place to store the archives.
pritaeas 2,211 ¯\_(ツ)_/¯ Moderator Featured Poster
Dani 4,675 The Queen of DaniWeb Administrator Featured Poster Premium Member
https://www.theregister.com/2025/03/17/supply_chain_attack_github/
Well that’s coincidental. Doesn’t seem to apply to our repo though because we don’t use tj-actions/changed-files and use private repos. More to say when I’m not on my phone.
kearawill -12 Newbie Poster
GitHub is generally very secure for hosting code, especially with features like 2FA, security alerts, and private repositories. However, like any platform, it's only as secure as how you use it. I’d never recommend storing sensitive information like passwords, private keys, or database credentials—even with .gitignore. Instead, use environment variables or secret managers like GitHub Actions Secrets or AWS Secrets Manager.
When it comes to proprietary code or trade secrets (like specialized algorithms or business logic—for example, I once worked on a stamp duty London calculator for a client), it's crucial to keep that in a private repo with restricted access. Also, ensure that your team follows best practices for committing code, reviews, and repository permissions.
In short: GitHub can be safe, but it depends on your practices. Always assume someone could accidentally leak access and plan your security accordingly.
Dani 4,675 The Queen of DaniWeb Administrator Featured Poster Premium Member
I’d never recommend storing sensitive information like passwords, private keys, or database credentials—even with .gitignore. Instead
Why not, though? Doesn't .gitignore just completely ignore the files to where they never touch Github's servers?
To me, that sounds much more secure than Github secrets, where sensitive information is stored on the Github servers.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.