Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New check: code is scanning for secrets #30

Open
kimsterv opened this issue Oct 21, 2020 · 10 comments
Open

New check: code is scanning for secrets #30

kimsterv opened this issue Oct 21, 2020 · 10 comments
Labels
kind/new-check New check for scorecard

Comments

@kimsterv
Copy link
Contributor

No description provided.

@inferno-chromium inferno-chromium added the kind/new-check New check for scorecard label Oct 23, 2020
@mwarkentin
Copy link

A check that something like trufflehog (or other secret scanners) are running would be nice:

@inferno-chromium
Copy link
Contributor

Some examples from Google VRP program, see here - https://docs.google.com/document/d/10GWKW55YD6ZmHcJmQ2ZFu7jv75zyasHvx2O3yyRrfDI/edit

@naveensrinivasan
Copy link
Member

Some examples from Google VRP program, see here - https://docs.google.com/document/d/10GWKW55YD6ZmHcJmQ2ZFu7jv75zyasHvx2O3yyRrfDI/edit

Don't have access to the doc.

@laurentsimon
Copy link
Contributor

laurentsimon commented Apr 21, 2021

We may check for the presence of the .gitignore file and check sensitive files like private keys formats and other are listed.
Besides password/private key files, we can also add .bash_history

@laurentsimon
Copy link
Contributor

Note that Github's scanning is enabled by default for public repos.

@laurentsimon laurentsimon added this to the milestone-q3 milestone Jul 1, 2021
@laurentsimon
Copy link
Contributor

There's also https://github.blog/2022-12-15-leaked-a-secret-check-your-github-alerts-for-free/, which shows a setting we could use.

@afmarcum
Copy link
Contributor

afmarcum commented Aug 9, 2023

This feature does not align with the current project focus. If there is no feedback in the next 7 days to the contrary, then this issue will be closed.

@spencerschrock
Copy link
Member

Keeping open as there was interest here: #3399

@lucasgonze
Copy link

lucasgonze commented Jan 8, 2024

If this can also check for Snyk secret scanning, the output will be less noisy.

@afmarcum afmarcum moved this to Backlog - Checks in Scorecard - NEW Mar 5, 2024
@afmarcum afmarcum removed this from the milestone-q3 milestone Mar 8, 2024
@Danajoyluck
Copy link

TAC requested adding secret scanning and push protection to the security baseline, ossf/tac#333. This check will be a super helpful verification and audit tool

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/new-check New check for scorecard
Projects
Status: Backlog - New Checks
Development

No branches or pull requests

9 participants