Protect Against Accidental Credential Leaks with Twilio Git Guard

August 12, 2019
Written by


Twilio will now send you an email security alert if we detect that your Account SID and Auth Token have been committed to a public repository on GitHub.

Did you know that every day developers all over the world accidentally leak their credentials in open source repositories?

With over 40 million developers pushing code to more than 100 million repositories on GitHub, software is eating the world at a lightning pace. However, with the increasing adoption of the cloud, managing many different secrets, including API keys, database connection strings, private keys, and even usernames and passwords, can be challenging. You can imagine a developer, laser focused on deployment velocity, might unknowingly commit an API key to a repository.

After all, even the best developers make mistakes.

And what happens if you do accidentally commit API keys to a public repository? Unfortunately, fraudsters and hackers scanning the internet for API keys aren’t forgiving to your mistakes. With your API credentials, a fraudster can quickly carry out their nefarious deeds on your dime. Even worse, a hacker might potentially also have access to read and download your critical logs and data.

Our goal at Twilio is to provide an amazing developer experience and we’re always looking to make development safer and easier so you can focus on shipping product and delighting customers. That’s why we integrated with GitHub Token Scanning to build Git Guard—a service to notify you if you’ve committed your Twilio Account SID and Auth Token to a public repository on GitHub!

“Everyone makes mistakes, so it's more important than ever that developer tools work together to protect users from the damage that can be caused by accidentally checked in tokens. We're pleased to partner with Twilio on token scanning to protect our mutual customers.”

- Justin Hutchings, Product Manager at GitHub

At Twilio, our top priority is to earn and keep your trust and we will never stop working towards this goal. So please, carry on and keep on building! No activation is required for Git Guard. It is live, watching your back right now. That said, this is an alert we hope you never have to receive, so please follow best practices to store your credentials securely.

Stephen Wai is a Product Manager at Twilio focused on building their world-class anti-fraud platform. He can be reached at swai [at] or on Twitter at @swaiing.