More Info:

Deploy keys can have significant access to a repository and should be rotated on a regular basis.

Risk Level

Medium

Address

Security

Compliance Standards

Remediation

Using Console

To remediate the “Repo Deployment Keys Rotated” misconfiguration in GitHub using the GitHub console, you can follow the below steps:
  1. Login to your GitHub account and navigate to the repository where the deployment keys have been rotated.
  2. Click on the “Settings” tab on the right-hand side of the repository page.
  3. In the left-hand sidebar, click on the “Deploy Keys” option.
  4. Locate the deployment key that needs to be rotated and click on the “Delete” button next to it.
  5. Confirm the deletion by clicking on the “Delete” button in the pop-up window.
  6. Now, create a new deployment key by clicking on the “Add deploy key” button.
  7. Give a suitable title to the deployment key and paste the public key in the “Key” field.
  8. Check the “Allow write access” option if you want the key to have write access to the repository.
  9. Click on the “Add key” button to add the new deployment key to the repository.
  10. Finally, update the deployment key in your deployment pipeline or any other relevant services that use the key.
By following these steps, you can remediate the “Repo Deployment Keys Rotated” misconfiguration in GitHub using the GitHub console.

Using CLI

To remediate the misconfiguration of rotated deployment keys in a GitHub repository using the GitHub CLI, you can follow these steps:
  1. Open a terminal or command prompt and ensure that you have the GitHub CLI installed on your system. If not, you can download it from the official website.
  2. Log in to your GitHub account using the following command: 
gh auth login
  1. Select the appropriate authentication method and follow the prompts to complete the login process.
  2. Navigate to the local copy of the repository in question using the cd command.
  3. Run the following command to remove the existing deployment keys: 
gh ssh-key remove <key-name>
Replace <key-name> with the name of the key that needs to be removed.
  1. Generate a new deployment key using the following command:
gh ssh-key add <key-name> --title "<title>" --public-key "<path-to-public-key>"
Replace <key-name> with a name for the new key, <title> with a descriptive title for the key, and <path-to-public-key> with the path to the public key file.
  1. Add the new deployment key to the repository using the following command:
gh repo create-deploy-key <key-name> --read-write
Replace <key-name> with the name of the new key.
  1. Verify that the new deployment key is added to the repository by running the following command:
gh repo view --keys
This will display a list of all the deployment keys associated with the repository.
  1. Finally, update any relevant documentation or scripts to reflect the changes made.
By following these steps, you can remediate the misconfiguration of rotated deployment keys in a GitHub repository using the GitHub CLI.

Using Python

To remediate the misconfiguration of rotated deployment keys in a GitHub repository using Python, you can follow these steps:
  1. Generate a new deployment key for the repository using the pygithub library.
from github import Github

# Authenticate to GitHub using a personal access token
g = Github("YOUR_ACCESS_TOKEN")

# Get the repository object
repo = g.get_repo("OWNER/REPO_NAME")

# Generate a new deployment key
new_key = repo.create_key("New Deployment Key", "YOUR_PUBLIC_KEY")
  1. Remove the old deployment key from the repository using the pygithub library.
# Get the old deployment key object
old_key = repo.get_key("OLD_KEY_ID")

# Delete the old deployment key
old_key.delete()
  1. Update the deployment key in your deployment environment, such as your CI/CD pipeline, with the new key.
# Update the deployment key in your deployment environment
update_deployment_key(new_key)
By following these steps, you can remediate the misconfiguration of rotated deployment keys in a GitHub repository using Python.

Additional Reading: