Any file containing something looking like a JWT (based on it has 2 dots, and the first two segments are base64encoded JSON) is reported as a secret/credential.
What is the expected behavior?
It should be possible to detect or configure the plugin to allow certain types of JWT.
What is the motivation / use case for changing the behavior?
We use JWT also for exchanging signed information and this is not secret data so these tokens are not secrets. However, our tooling is now generating many false positives which drowns the true positives.
I'm submitting a ...
What is the current behavior?
Any file containing something looking like a JWT (based on it has 2 dots, and the first two segments are base64encoded JSON) is reported as a secret/credential.
It should be possible to detect or configure the plugin to allow certain types of JWT.
We use JWT also for exchanging signed information and this is not secret data so these tokens are not secrets. However, our tooling is now generating many false positives which drowns the true positives.