[secret scanning] handling of user exposing their own secrets in comments

[MichaIng]

Select Topic Area

Product Feedback

Body

We recently enabled secret scanning alerts for one of our repo, and it did find a case where an external user accidentally exposed his Telegram token by pasting some raw output from his console.

I find this incredibly helpful, as I could edit the comment to mask this sensitive info, however, I would love to be able to inform this user about it. But he does not have a public email, and I do not want to make others aware of it by pinning him publicly in the related issue. Even when not everyone can see the comment edit history, I hesitate to make even just other repository/orga members aware if it, unnecessarily.

While it is not an exposure in our code or of our secrets, a bot of course cannot know this for sure, and I do find it valuable as well when it is about our users or anyone, exposing any secret on out repository. But the following would be helpful to take more benefit from it:

• Add an additional "Close as" option, like "external/user secret".
• Allow to have GitHub automatically masking the detected secret in the comment, in a way that the secret cannot be found in the edit history, but max a generic entry, stating that a secret has been automatically masked.
• Allow to have the user informed about the incidence by GitHub via primary account email.
• The two above points could be also just strictly implied with the new close option, as this is the only reasonable way to deal with such cases, that I can think of.