-
Notifications
You must be signed in to change notification settings - Fork 503
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New check: code is scanning for secrets #30
Comments
A check that something like trufflehog (or other secret scanners) are running would be nice: |
Some examples from Google VRP program, see here - https://docs.google.com/document/d/10GWKW55YD6ZmHcJmQ2ZFu7jv75zyasHvx2O3yyRrfDI/edit |
Don't have access to the doc. |
We may check for the presence of the .gitignore file and check sensitive files like private keys formats and other are listed. |
Note that Github's scanning is enabled by default for public repos. |
There's also https://github.blog/2022-12-15-leaked-a-secret-check-your-github-alerts-for-free/, which shows a setting we could use. |
This feature does not align with the current project focus. If there is no feedback in the next 7 days to the contrary, then this issue will be closed. |
Keeping open as there was interest here: #3399 |
If this can also check for Snyk secret scanning, the output will be less noisy. |
TAC requested adding secret scanning and push protection to the security baseline, ossf/tac#333. This check will be a super helpful verification and audit tool |
No description provided.
The text was updated successfully, but these errors were encountered: