44 lines
1.3 KiB
Plaintext
44 lines
1.3 KiB
Plaintext
|
|
||
|
|
include::../../../shared_content/secrets/description.adoc[]
|
||
|
|
|
||
|
|
== Why is this an issue?
|
||
|
|
|
||
|
|
include::../../../shared_content/secrets/rationale.adoc[]
|
||
|
|
|
||
|
|
If an attacker gains access to a RubyGems.org API key, they might be able to gain access to any private package linked to this token.
|
||
|
|
|
||
|
|
=== What is the potential impact?
|
||
|
|
|
||
|
|
The exact impact of the compromise of an RubyGems.org API key varies depending on the permissions granted to this token. It can range from loss of sensitive data and source code to severe supply chain attacks.
|
||
|
|
|
||
|
|
include::../../../shared_content/secrets/impact/source_code_compromise.adoc[]
|
||
|
|
|
||
|
|
include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[]
|
||
|
|
|
||
|
|
== How to fix it
|
||
|
|
|
||
|
|
include::../../../shared_content/secrets/fix/revoke.adoc[]
|
||
|
|
|
||
|
|
include::../../../shared_content/secrets/fix/vault.adoc[]
|
||
|
|
|
||
|
|
=== Code examples
|
||
|
|
|
||
|
|
:example_secret: rubygems_cec9db9373ea171daaaa0bf2337edce187f09558cb19c1b2
|
||
|
|
:example_name: rubygems.api-key
|
||
|
|
:example_env: RUBYGEMS_API_KEY
|
||
|
|
|
||
|
|
include::../../../shared_content/secrets/examples.adoc[]
|
||
|
|
|
||
|
|
=== Going the extra mile
|
||
|
|
|
||
|
|
include::../../../shared_content/secrets/extra_mile/permissions_scope.adoc[]
|
||
|
|
|
||
|
|
== Resources
|
||
|
|
|
||
|
|
=== Documentation
|
||
|
|
|
||
|
|
RubyGems.org - https://guides.rubygems.org/api-key-scopes/[API key scopes]
|
||
|
|
|
||
|
|
include::../../../shared_content/secrets/resources/standards.adoc[]
|
||
|
|
|