Open carmal891 opened 7 months ago
felickz
commented
7 months ago My sample from the ReadMe is actually using a custom pattern
RSA Private Key :)
Once you dry run, publish the pattern and it will be available here! It would be best to further enable the pattern for push protection so it should only show up in the secret-scanning-review-action when it is bypassed!
carmal891
commented
7 months ago Thank you for the prompt response. However my question was whether it is possible to keep the pattern as code rather than utulize the repo UI console. For example like a .patterns file and then pass it to the action attributes
Secret-Scanning-Job:
needs: initial-setup-job
runs-on: ubuntu-latest
steps:
- name: Secret Scanning Review Action
uses: advanced-security/secret-scanning-review-action@v0
with:
token: ${{ secrets.SECRET_SCAN_REVIEW_GITHUB_TOKEN }}
fail-on-alert: true
fail-on-alert-exclude-closed: false
patterns-path: .patternsIs something like this feasible ?
felickz
commented
7 months ago That would be an amazing update to the product to support patterns as code. I would suggest you drop that feedback to the product team in the community forum: https://github.com/orgs/community/discussions/categories/code-security. The only customization as code today is a paths ignore via secret-scanning.yml.
Unfortunately, it would be a bit out of scope for this project as we are just pulling the secret alerts from the back end. The one area this got me thinking is maybe it would help out some to provide some ignore list of secrets. If some alerts are maybe even too noisy to show on PR but might be rolled out via custom pattern.
The official Github secret scanning documentation mentions defining custom patterns for secret scanning :
https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning
Can we enable the same feature using the secret-scanning-review-action ?