Let secret scanning and push protection check for plaintext org- and repo-level actions secrets #126765
Unanswered
bzanin-wdc
asked this question in
Code Security
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Select Topic Area
Product Feedback
Body
Secret scanning and push protection are very useful - in our case scanning for non-provider patterns like GPG and SSH keys in particular, less so for external "provider pattern" API keys. It is also useful that GitHub Actions automatically recognizes and elides the plaintext version of org-level and repo-level Action secrets when they appear in job logs.
However there is a functionality gap in secret scanning and push protection: the list of non-provider patterns cannot currently be configured to include Actions secrets. It would be very useful for us to be able to catch the case where a developer commits and pushes a set of plaintext credentials that should have been a reference to an Actions secret instead, primarily so we can immediately rotate the secret but secondarily so we can track back upstream to the process gaps that allowed the plaintext secret to even be known.
At the moment this desire can only really be implemented with a large set of custom patterns manually mirroring the org-level secrets, awkwardly maintained in sync with the rotation of these secrets, and in a way that then makes quite public the very values that we actually want to keep secret.
It ain't great but our need is definitely practical, not theoretical.
Beta Was this translation helpful? Give feedback.
All reactions