惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Fortinet All Blogs
S
Secure Thoughts
月光博客
月光博客
美团技术团队
雷峰网
雷峰网
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
N
News and Events Feed by Topic
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Forbes - Security
Forbes - Security
W
WeLiveSecurity
P
Proofpoint News Feed
阮一峰的网络日志
阮一峰的网络日志
爱范儿
爱范儿
G
GRAHAM CLULEY
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
AI
AI
Last Week in AI
Last Week in AI
Google Online Security Blog
Google Online Security Blog
Schneier on Security
Schneier on Security
云风的 BLOG
云风的 BLOG
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Recent Announcements
Recent Announcements
Webroot Blog
Webroot Blog
T
Tor Project blog
Cisco Talos Blog
Cisco Talos Blog
N
News and Events Feed by Topic
罗磊的独立博客
The Register - Security
The Register - Security
Blog — PlanetScale
Blog — PlanetScale
T
Threat Research - Cisco Blogs
博客园 - 【当耐特】
Apple Machine Learning Research
Apple Machine Learning Research
人人都是产品经理
人人都是产品经理
T
The Exploit Database - CXSecurity.com
www.infosecurity-magazine.com
www.infosecurity-magazine.com
B
Blog
腾讯CDC
Microsoft Azure Blog
Microsoft Azure Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
H
Hacker News: Front Page
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Engineering at Meta
Engineering at Meta
Latest news
Latest news
IT之家
IT之家
D
DataBreaches.Net
博客园 - 司徒正美
N
Netflix TechBlog - Medium
V
V2EX
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Grafana’s GitHub Token Incident: 5 Steps DevOps Teams Can Take to Recover Faster
TerraformMon · 2026-05-20 · via DEV Community

If the recent Grafana Labs GitHub token incident caught your attention, it should.

A compromised GitHub token is not just a source code problem. For many DevOps and platform teams, GitHub is where infrastructure is defined, workflows are triggered, deployments are approved, and cloud changes are controlled.

Terraform files. GitHub Actions workflows. Branch protection rules. Repository permissions. Deployment environments. Webhooks. GitHub App integrations.

They all sit inside or around GitHub.

So when a GitHub environment is compromised, deleted, misconfigured, or held hostage, restoring the repository is only step one.

You also need to restore the configuration that makes the repository usable, secure, and ready for deployment.

That is exactly why GitHub configuration disaster recovery is becoming part of the modern cloud resilience conversation.

Here are five practical steps DevOps teams can take to protect GitHub configuration and recover faster from ransomware-style incidents.


TL;DR: 5 GitHub DR Steps to Take Tomorrow 🚀

  1. Audit what GitHub really controls
  2. Back up repositories beyond a simple clone
  3. Capture the configuration around the repo
  4. Build a separate recovery path for secrets and tokens
  5. Run a mini GitHub recovery drill


1. Audit What GitHub Really Controls 🔍

Start with visibility.

Most organizations know which repositories hold application code. Fewer teams know which repositories control production infrastructure, CI/CD workflows, deployment approvals, cloud permissions, and security policies.

That gap matters during recovery.

If a GitHub token is compromised, your team needs to know which repositories are business-critical and which systems depend on them.

A small internal tool repo may not need the same recovery priority as the repository that controls Terraform modules, production workflows, or deployment pipelines.

Tomorrow, map your GitHub environment by recovery priority.

Identify the repositories that control:

  • Production Infrastructure as Code
  • CI/CD workflows
  • Deployment scripts
  • Security policies
  • Cloud account access
  • GitHub Actions workflows
  • Environment approvals
  • Shared Terraform modules
  • Operational runbooks

This gives your team a clear recovery order.

Without this inventory, recovery becomes guesswork. Engineers waste time deciding what matters most while the incident is already happening.

In ransomware-style incidents, that delay can increase downtime, slow containment, and put unnecessary pressure on DevOps and security teams.

A GitHub disaster recovery plan starts with knowing what GitHub actually runs.


2. Back Up Repositories Beyond a Simple Clone 🧱

Once you know which repositories matter, back them up properly.

A regular clone may help an engineer keep working locally, but it is not enough for a complete recovery plan.

Critical repositories should be backed up with full mirror copies that preserve:

  • Branches
  • Tags
  • Refs
  • Repository history

For example:

git clone --mirror git@github.com:org/critical-repo.git

Enter fullscreen mode Exit fullscreen mode

If your team uses Git LFS, those objects must be included too.

Otherwise, you may restore a repository that looks complete but is missing large files, binaries, or assets used by pipelines.

Tomorrow, create external mirror backups for your highest-priority repositories.

Store them outside the same GitHub organization and identity boundary.

If the same compromised token, user, or GitHub organization can reach both your production repository and your backup, the backup is not isolated enough.

This is the same principle used in cloud disaster recovery:

Backups must be separate, restorable, and tested.

GitHub repository backup checklist

A repository backup should prove that teams can restore full history, branches, tags, and recover into a clean environment.


3. Capture the Configuration Around the Repo ⚙️

Repository backup protects your code.

But it does not automatically protect the GitHub settings that make the repo usable.

Important configuration often lives around the repository, including:

  • Branch protections
  • Rulesets
  • Deployment environments
  • GitHub Actions permissions
  • Repository variables
  • Webhooks
  • Team access
  • GitHub Apps
  • Required reviewers
  • Environment approvals

If these settings are changed or missing during recovery, your code may be restored — but deployments, reviews, and permissions can still break.

Tomorrow, pick your most critical production repositories and export the GitHub settings around them.

Store those exports as versioned snapshots outside GitHub, so your team has a known-good reference if repo configuration is changed, deleted, or compromised.

During an incident, engineers should not have to rebuild branch protections, permissions, and webhooks from memory.

Manual reconstruction is slow, risky, and easy to get wrong under pressure.

Restoring code is not the same as restoring operations.

For teams that rely on GitHub as part of their infrastructure delivery process, configuration disaster recovery for GitHub helps close the gap between restoring code and restoring the operational controls around that code.


4. Build a Separate Recovery Path for Secrets and Tokens 🔐

Secrets need a different recovery plan.

GitHub secrets are critical for CI/CD and deployment workflows, but GitHub is not a complete backup source for them.

Teams may be able to see secret names or metadata, but they cannot simply export secret values back out of GitHub.

That means GitHub should not be the only place that knows the credentials required to rebuild your workflows.

Tomorrow, review the secrets and tokens used across your GitHub environment, especially the ones connected to production systems:

  • Cloud provider credentials
  • Deployment keys
  • Container registry credentials
  • Webhook secrets
  • GitHub App private keys
  • CI/CD service tokens
  • Security scanner tokens
  • SaaS integration credentials

Each one should have an external source of truth, such as a secrets manager, vault, or controlled recovery process.

This is also the time to reduce token risk.

The Grafana incident is a reminder that one compromised token can create a serious blast radius.

So ask:

  • Who owns each token?
  • Does it still need access?
  • Is the scope too broad?
  • Can its lifetime be reduced?
  • Can stale access be removed?
  • Is there a recovery process if it is rotated or revoked?

Never let one token become the single point of failure for your GitHub environment.


5. Run a Mini GitHub Recovery Drill 🧪

Do not wait for an incident to test your GitHub recovery plan.

Pick one critical repository tomorrow and run a small recovery drill.

The goal is not to simulate a full company-wide breach. The goal is to prove that one important repository can be restored into a clean, trusted state.

Your drill should test whether your team can:

  • Restore the repository from backup
  • Reapply branch protections and rulesets
  • Recreate deployment environments
  • Reconnect webhooks
  • Re-seed secrets from the external source of truth
  • Run a GitHub Actions workflow
  • Confirm the right teams have access
  • Confirm the right approvals are enforced

This drill will expose the real gaps.

Maybe the repository restores, but the workflow fails.

Maybe a webhook secret is missing.

Maybe the branch protection rules were never backed up.

Maybe a GitHub App was installed years ago and no one knows who owns it.

Maybe only one engineer knows how to reconnect the deployment pipeline.

That is exactly why the drill matters.

A backup is only useful if the restore works.

For DevOps teams, recovery should not depend on memory, screenshots, or one engineer who understands the setup.

It should be documented, versioned, and repeatable.


Why GitHub Recovery Is Now Part of Cloud Disaster Recovery ☁️

Traditional backup strategies often stop at the repository.

But in a real incident, missing GitHub configuration can delay recovery, break deployments, and create compliance risk.

The Grafana incident is a reminder that modern disaster recovery needs to protect both the code and the configuration around it:

  • Workflows
  • Approvals
  • Permissions
  • Webhooks
  • Deployment controls
  • Infrastructure definitions
  • Cloud access paths

GitHub is no longer just where code lives.

For many teams, it is part of the production control plane.

That means GitHub recovery should be part of your broader cloud disaster recovery strategy.


Recovering Code Is Not Enough

If your GitHub environment is compromised, your team needs more than a repo backup.

You need to know:

  • Which repositories matter most
  • Which systems depend on them
  • Which configurations are required to operate safely
  • Which secrets must be restored from outside GitHub
  • Whether your recovery process actually works

ControlMonkey helps DevOps teams strengthen Cloud Configuration Disaster Recovery by continuously capturing infrastructure configuration, detecting drift, and enabling fast recovery from known-good states.

That includes extending recovery beyond cloud resources into the systems that control infrastructure delivery, including GitHub. You can read more about ControlMonkey’s GitHub Configuration Disaster Recovery announcement.

Because modern recovery is not just about restoring files.

It is about restoring control.

👉 Learn more about ControlMonkey’s Cloud DR products and Cyber resilience platform.


Discussion 💬

How does your team handle GitHub recovery today?

Do you back up only repositories, or also the configuration around them — branch protections, webhooks, environments, rulesets, and deployment controls?

Would love to hear how other DevOps and platform teams are approaching this.