search

Yelp / detect-secrets

An enterprise friendly way of detecting and preventing secrets in code.
Apache License 2.0
3.76k stars 467 forks source link

validity checking of detected secrets ? #784

Closed Gby56 closed 8 months ago

Gby56 commented 8 months ago

Just a quick question, are there any plans to implement validity checking of detected secrets ?

lorenzodb1 commented 8 months ago

Hi @Gby56, could you please explain what you mean by "validity checking of detected secrets"?

Gby56 commented 8 months ago

Hi ! Something like Trufflehog's checks, most of them seem to be pure HTTP requests to use the token and see if it's still valid https://github.com/trufflesecurity/trufflehog/blob/main/pkg/detectors/slack/slack.go#L91

gpflaum commented 8 months ago

@Gby56 detect-secrets does do secret verification: https://github.com/Yelp/detect-secrets/blob/master/docs/plugins.md#Verified-Secrets Not all the plug-ins have implemented it, not as many as Trufflehog, but it wouldn't be very difficult for people to add more; the plugin framework supports it.

lorenzodb1 commented 8 months ago

Thank you @gpflaum for helping out answering this issue :)

Gby56 commented 8 months ago

Thank you both ! :)