Exposed Digital Ocean token needs to be removed from example in https://gitlab.com/Saderi/docker-github-io/-/blob/3ff20fafccdce09428171511982305a180dc9928/docs/installation/cloud-ex-machine-ocean.md

[londoncalling]

Is this a docs issue?

• My issue is about the documentation content or website

Type of issue

Other

Description

Hi Docker Docs Team,

I worked at Docker on the Docs Team from ~2015 > 2017. I've gotten this notification recently from a security specialist (connectabhinav@proton.me) (see below) that I have a leaked Digital Ocean token in one of the Docker examples.

I've tried to resolve this on my end by contacting Digital Ocean, but so far, have not succeeded via that route.

Do you think you can update this example in the repository (whether it's in use in the Docs, or not, it's exposed) and remove the token from it, perhaps replacing it with a variable e.g., $DOTOKEN?

Thank you!

Victoria Bialas (GitHub handle: londoncalling

Location

https://gitlab.com/Saderi/docker-github-io/blob/3ff20fafccdce09428171511982305a180dc9928/docs/installation/cloud-ex-machine-ocean.md#L116

Suggestion

Please replace the actual digital ocean token with a variable e.g., $DOTOKEN

Please keep in mind that even if these Docs are no longer published, as long as they are on GitHub, the token is exposed / "leaked", and is a vulnerability.

[thaJeztah]

Hi @londoncalling 👋 hope you're doing well; the notification is about a commit from 2015; 3ff20fa

We received similar alerts about this token a few times.

Unfortunately there's no way to remove content once it's in GitHub history; the URL you posted is on GitLab (not github) and looks to be someone's fork.

If I'm not mistaken, the token was no longer active (or no longer had access to content), but if it is, then the only thing that can be done is to remove / rotate the token (which may help with some security tools scanning for tokens); unfortunately, not all tools may check for this, and send warnings regardless.