I have installed and used github copilot for some time. And while working on a google maps project, I was curious and asked it to autoplete the API url with the key open, and it listed suggestions with various API keys included. This got me worried since it generates codes based on other people code on github.

At first I was thinking those could be not functional keys, But I found that to be wrong based on this article.

So, how what methods can I use to protect my keys from such happening? I am thinking uninstalling wont help since my repos are already at github.

I have installed and used github copilot for some time. And while working on a google maps project, I was curious and asked it to autoplete the API url with the key open, and it listed suggestions with various API keys included. This got me worried since it generates codes based on other people code on github.

At first I was thinking those could be not functional keys, But I found that to be wrong based on this article.

So, how what methods can I use to protect my keys from such happening? I am thinking uninstalling wont help since my repos are already at github.

• javascript
• security
• visual-studio-code

• 3 Do not check your api keys into git and you are safe :) should not do do this regardless of copilot existing or not. – luk2302 Commented Jan 2, 2022 at 20:49
• 1 The best practice is to not mit API keys to your repo. I should note however that this advice is not often listened to in corporate environments. API keys should always be read from a config file and you should never mit your config files along with your code (you may not think this separation is necessary but there may be a time when you will want to share or sell your code to other people and now they have access to your API keys in the git history) – slebetman Commented Jan 2, 2022 at 20:50
• 1 But arent API keys such as google map's are going to be always publicly shown on the frontend? just like in many other big pages, and only protected by security options such as refere restriction...? But google copilot might also list unprotected API keys – Abraham Commented Jan 2, 2022 at 20:51
• 1 Ah, you have mitted the SECOND sin of API keys. API keys should never be used in the frontend. People often wonder why there is no solution to the CORS problem when accessing 3rd party APIs but this is on purpose - the 3rd parties don't want you to expose the API keys thus not enabling CORS which forces you to use their API in your backend which will protect API keys (so long as your server is not hacked). Write your own private API endpoints on your server and have your server make the request to 3rd party APIs. Your server should be the only thing that can read the API keys – slebetman Commented Jan 2, 2022 at 20:56
• 1 Yeah. Google map may be low risk since you are not managing any 3rd party data. Only map locations. So there is little risk exposing Google Map API keys from google's point of view (from your point of view the risk is a script kiddie finding your keys and abusing it and getting you throttled or banned - but that's not google's risk). For other things like Facebook login etc. (which actually give you access to other peoples data) you should not expose API keys to the frontend. – slebetman Commented Jan 2, 2022 at 21:03

2 Answers 2

The only way to protect yourself is to not mit any private information to a public git repository.

Your Google Maps API key should be stored in an environment variable or a configuration file, and should never be checked into git.

A mon way to do this for modern applications is to use environment variables in production and a .env file in development (that simulates using environment variables but actually holds the content of those variables in a local file). There are "dotenv" libraries available for just about every programming language. You will typically also create a .env.example file which you do mit to git that contains examples of all of the environment variables that your application requires, but does not contain actual secret values.

I've never seen a functional API key from CoPilot, and they are often /the wrong length/ to boot, my personal experience suggest that

CoPilot scrambles and crops API keys.

If you've ever gotten an actually functionl API key from CoPilot, I'd love to hear your story though.