The Cybersecurity and Infrastructure Security Agency (CISA) released a detailed after-action review of the GitHub credential exposure that prompted congressional scrutiny earlier this year. The review, contained in a blog post, outlines how the agency responded to the incident and identifying several internal security gaps that it is now working to address.
The update follows reports in May that a contractor maintained a public GitHub repository containing sensitive credentials, including passwords and AWS GovCloud access keys. The incident prompted Sen. Maggie Hassan, D-N.H., to seek a classified briefing from the agency over concerns about how the exposure occurred.
“Sharing experiences from incident response activities help other organizations learn from such experiences and enables them to take necessary precautions to prevent similar incidents from happening in their environments,” wrote Preston Werntz, CISA’s acting chief information officer, and Brad Libbey, CISA’s acting chief information security officer, in a July 9 blog post.
“For years, CISA has said this type of information exchange is critical to identifying trends and contributing to broader national awareness. Now, it is our turn,” they added.
In the blog post, CISA said it moved immediately after being alerted to the exposed repository, taking the repository offline, preserving evidence for forensic analysis, suspending the affected development environment, rotating exposed credentials, and revoking the contractor’s access.
The agency said its investigation found no evidence that the exposed credentials were used outside of CISA’s environments or that mission systems or customer data were compromised.
According to CISA, the repository was hosted on a contractor’s personal GitHub account rather than the agency’s official GitHub environment. It contained copies of infrastructure and deployment code along with embedded credentials that should never have been stored in a public repository.
The agency said the incident highlighted several areas where its security posture can improve.
Among the lessons identified were the need for continuous monitoring of public code repositories for exposed secrets, stronger controls governing contractor development practices, clearer processes for receiving vulnerability reports from external researchers, and pre-established incident response playbooks for credential exposure events.
“CISA had missed creating a GitHub/Cloud playbook and, therefore, had to spend time building one during the early stages of the incident,” Werntz and Libbey wrote. “CISA also encourages organizations to fine tune playbooks following any response, which CISA is practicing in this case.”
The agency also said organizations should routinely rotate credentials, eliminate embedded secrets from code repositories, apply least-privilege access controls, and ensure that development environments receive the same level of monitoring as production systems.
CISA emphasized that maintaining visibility across cloud environments and software development workflows is critical to detect similar incidents quickly.
The blog post marks CISA’s first public accounting of the incident since it confirmed the exposure in May.
Guillaume Valadon, a researcher with the security firm GitGuardian, who found the public repository in May, applauded the agency for its transparency.
“To my knowledge, it is also the first time a national cybersecurity agency has publicly advocated for secrets scanning and for simplifying relations with security researchers,” Valadon wrote in a July 12 blog post. “These are topics my team has been pushing for years, and I am proud to see them recognized at this level.”