Secret Scanner is notfailing/warning on exposed Secrets.

lucas-zimerman commented 2 months ago

Environment

Sentry Capacitor, using the latest version of Sentry Secrets on each run.

Steps to Reproduce

https://github.com/getsentry/sentry-capacitor/pull/688 On this test PR, I added some secrets for testing the Secret Scanner integration, but it seems like it didn't fail nor trigger to anything (I also included the sample code used on the docs for triggering it).

Expected Result

A warning message or a failed action if secrets were found.

Actual Result

Test passed

Run if [ -e .secret_scan_ignore ]; then
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

2024-07-10T15:34:44Z    info-0  trufflehog  running source  {"source_manager_worker_id": "3aoRY", "with_units": true}
2024-07-10T15:34:44Z    info-0  trufflehog  scanning repo   {"source_manager_worker_id": "3aoRY", "unit": ".", "unit_kind": "dir", "repo": "https://github.com/getsentry/sentry-capacitor"}
2024-07-10T15:34:44Z    info-0  trufflehog  finished scanning   {"chunks": 737, "bytes": 2882128, "verified_secrets": 0, "unverified_secrets": 0, "scan_duration": "249.706709ms", "trufflehog_version": "3.79.0"}

kahest commented 2 months ago

@jeffreyhung @mdtro @hubertdeng123 can you take a look please?

mdtro commented 2 months ago

TruffleHog's support for detecting Sentry tokens isn't great. It particularly does not handle our new formats or the org auth tokens. https://github.com/trufflesecurity/trufflehog/blob/e5f6c8d87284376abda55eb2c191be4dd141521e/pkg/detectors/sentrytoken/sentrytoken.go#L29

We're working on some contributions to Trufflehog to detect these with more confidence.

chadwhitacre commented 1 week ago

Can we close this?

getsentry / .github