Scan all `cloud-gov` org repositories for historical leaks

[pburkholder]

In order to [reason/outcome/goal], [someone or "we"] want [a specific change in product implementation/behavior]

This may be a fairly restricted set of patterns to minimize false positives

Acceptance Criteria

• [ ] GIVEN [a precondition] \ AND [another precondition] WHEN [test step] \ AND [test step] \ THEN [verification step] \ AND [verification step]

---

Security considerations

[note any potential changes to security boundaries, practices, documentation, risk that arise directly from this story]

Implementation sketch

[links to background notes, sketches, and/or relevant documentation

• [ ] [first thing to do]
• [ ] [another thing to do]

[pburkholder]

Along the same lines we could consider scanning all commits made to GitHub in the event that some makes a bad paste when working in the WebUI.

First, Github support token scanning in partnership with cloud providers. In the past if an AWS key were committed, we didn't get notified so I don't think this is of much use. It possible that our AWS checked the keys against commercial accounts, and didn't recognize cloud.gov keys.

We could use GitHub actions at https://github.com/marketplace/actions/gitleaks, for a belt & suspender approach.