Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature] pre-submit to prevent exposing keys #897

Closed
1 task done
Tracked by #886
ianlewis opened this issue Sep 22, 2022 · 2 comments
Closed
1 task done
Tracked by #886

[feature] pre-submit to prevent exposing keys #897

ianlewis opened this issue Sep 22, 2022 · 2 comments
Labels
area:tooling An issue with project tooling and config good first issue Good issue for first time contributors. status:help wanted Extra attention is needed type:feature New feature or request

Comments

@ianlewis
Copy link
Member

ianlewis commented Sep 22, 2022
edited
Loading

Add a simple pre-submit that prevents inclusion of private keys or GitHub PAT tokens.

From OpenSSF best practices:

  1. The public repositories MUST NOT leak a valid private credential (e.g., a working password or private key) that is intended to limit public access [no_leaked_credentials]
@ianlewis ianlewis added type:feature New feature or request area:tooling An issue with project tooling and config labels Sep 22, 2022
@ianlewis ianlewis mentioned this issue Sep 22, 2022
Closed
10 tasks
@ianlewis ianlewis added status:help wanted Extra attention is needed good first issue Good issue for first time contributors. labels Oct 19, 2022
@ianlewis
Copy link
Member Author

GitHub provides secret scanning for all repos which will alert project maintainers.
https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning

This might be just as good as pre-submits since the secret would be leaked in the PR code anyway. Though I suppose pre-submits would allow the code to be deleted, whereas if it was merged into the repo it could not.

@ianlewis ianlewis mentioned this issue Jan 6, 2023
Open
@ianlewis
Copy link
Member Author

I think this criteria is met by the GitHub secrets scanning.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:tooling An issue with project tooling and config good first issue Good issue for first time contributors. status:help wanted Extra attention is needed type:feature New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ianlewis