heidimok
commented
9 months ago @edkeeble Do you have any tips on a specific tool to check both of these? Eli could run it and which would put us in a good place for security.
Closed heidimok closed 6 months ago
heidimok
commented
9 months ago @edkeeble Do you have any tips on a specific tool to check both of these? Eli could run it and which would put us in a good place for security.
edkeeble
commented
9 months ago https://github.com/awslabs/git-secrets will scan the repo for text that looks like secrets, passwords, etc. You'll want to run it with git secrets --scan-history to make sure you're checking every commit in the entire history of the repo. It won't scan for PII. There are tools out there that can scan for PII, but they mostly seem to be services which require you to grant access to the github repo (not ideal for a security tool!). Honestly, PII is much less likely to be present int the repo than access keys, etc, so I'd probably just start with git-secrets.
EJwalker13
commented
6 months ago
Part of https://github.com/NASA-IMPACT/admg-backend/issues/518 @EJwalker13 has already skimmed through the repo to make sure there wasn't personally-identifiable information currently in the repo (none) when filling out the SRS package but it would definitely be best to use a security tool as a final check.
This issue is to do that final check using a tool.