GitHub secret scanning integration

[wojtekmach]

GitHub has a secret scanning feature that can alert users when they accidentally commit secrets like API tokens.

GitHub partners with service providers (which maintain these API tokens) to detect leaked secrets:

Joining the secret scanning program on GitHub

• Contact GitHub to get the process started.
• Identify the relevant secrets you want to scan for and create regular expressions to capture them.
• For secret matches found in public repositories, create a secret alert service which accepts webhooks from GitHub that contain the secret scanning message payload.
• Implement signature verification in your secret alert service.
• Implement secret revocation and user notification in your secret alert service.
• Provide feedback for false positives (optional).

(https://docs.github.com/en/developers/overview/secret-scanning)

I think it would be beneficial for the community if Hex joins this program.

GitHub recently changed the format of the tokens they maintain so if we were to participate, it'd probably make sense to first consider if we should change the format of our tokens too so they could be more easily detected. For example, instead of the token format being ~r/^[a-z0-9]{32}$/, we prefix it with hex_: ~r/^hex_[a-z0-9]{32}$/.

Thoughts?

[Ch4s3]

This seems like a nice feature. Are there downsides to changing the token format?

[yordis]

@Ch4s3 it depends if they will invalidate all the previous tokens or support both formats. It will require all the tokens to be invalid so we must update them.

GitHub at some point showed (or still do), so warning when detecting old token formats.

[ericmj]

We will not invalidate existing tokens as it would be too disruptive to users so when adding the new token format we will also be supporting the old one.