Closed pburkholder closed 4 years ago
Along the same lines we could consider scanning all commits made to GitHub in the event that some makes a bad paste when working in the WebUI.
First, Github support token scanning in partnership with cloud providers. In the past if an AWS key were committed, we didn't get notified so I don't think this is of much use. It possible that our AWS checked the keys against commercial accounts, and didn't recognize cloud.gov keys.
We could use GitHub actions at https://github.com/marketplace/actions/gitleaks, for a belt & suspender approach.
In order to [reason/outcome/goal], [someone or "we"] want [a specific change in product implementation/behavior]
This may be a fairly restricted set of patterns to minimize false positives
Acceptance Criteria
Security considerations
[note any potential changes to security boundaries, practices, documentation, risk that arise directly from this story]
Implementation sketch
[links to background notes, sketches, and/or relevant documentation