• GitHub Archive logs every public commit, even the ones developers try to delete. Force pushes often cover up mistakes like leaked credentials by rewriting Git history. GitHub keeps these dangling commits, from what we can tell, forever. In the archive, they show up as “zero-commit” PushEvents.
• I scanned every force push event since 2020 and uncovered secrets worth $25k in bug bounties.
• Together with Truffle Security, we’re open sourcing a new tool to scan your own GitHub organization for these hidden commits (try it here).