You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
GitHub has a secret scanning feature that can alert users when they accidentally commit secrets like API tokens.
GitHub partners with service providers (which maintain these API tokens) to detect leaked secrets:
Joining the secret scanning program on GitHub
Contact GitHub to get the process started.
Identify the relevant secrets you want to scan for and create regular expressions to capture them.
For secret matches found in public repositories, create a secret alert service which accepts webhooks from GitHub that contain the secret scanning message payload.
Implement signature verification in your secret alert service.
Implement secret revocation and user notification in your secret alert service.
I think it would be beneficial for the community if Hex joins this program.
GitHub recently changed the format of the tokens they maintain so if we were to participate, it'd probably make sense to first consider if we should change the format of our tokens too so they could be more easily detected. For example, instead of the token format being ~r/^[a-z0-9]{32}$/, we prefix it with hex_: ~r/^hex_[a-z0-9]{32}$/.
Thoughts?
The text was updated successfully, but these errors were encountered:
@Ch4s3 it depends if they will invalidate all the previous tokens or support both formats. It will require all the tokens to be invalid so we must update them.
GitHub at some point showed (or still do), so warning when detecting old token formats.
We will not invalidate existing tokens as it would be too disruptive to users so when adding the new token format we will also be supporting the old one.
GitHub has a secret scanning feature that can alert users when they accidentally commit secrets like API tokens.
GitHub partners with service providers (which maintain these API tokens) to detect leaked secrets:
(https://docs.github.com/en/developers/overview/secret-scanning)
I think it would be beneficial for the community if Hex joins this program.
GitHub recently changed the format of the tokens they maintain so if we were to participate, it'd probably make sense to first consider if we should change the format of our tokens too so they could be more easily detected. For example, instead of the token format being
~r/^[a-z0-9]{32}$/
, we prefix it withhex_
:~r/^hex_[a-z0-9]{32}$/
.Thoughts?
The text was updated successfully, but these errors were encountered: