Let secret scanning and push protection check for plaintext org- and repo-level actions secrets

[bzanin-wdc]

Select Topic Area

Product Feedback

Body

Secret scanning and push protection are very useful - in our case scanning for non-provider patterns like GPG and SSH keys in particular, less so for external "provider pattern" API keys. It is also useful that GitHub Actions automatically recognizes and elides the plaintext version of org-level and repo-level Action secrets when they appear in job logs.

However there is a functionality gap in secret scanning and push protection: the list of non-provider patterns cannot currently be configured to include Actions secrets. It would be very useful for us to be able to catch the case where a developer commits and pushes a set of plaintext credentials that should have been a reference to an Actions secret instead, primarily so we can immediately rotate the secret but secondarily so we can track back upstream to the process gaps that allowed the plaintext secret to even be known.

At the moment this desire can only really be implemented with a large set of custom patterns manually mirroring the org-level secrets, awkwardly maintained in sync with the rotation of these secrets, and in a way that then makes quite public the very values that we actually want to keep secret.

It ain't great but our need is definitely practical, not theoretical.