Open kimsterv opened 3 years ago
Some examples from Google VRP program, see here - https://docs.google.com/document/d/10GWKW55YD6ZmHcJmQ2ZFu7jv75zyasHvx2O3yyRrfDI/edit
Some examples from Google VRP program, see here - https://docs.google.com/document/d/10GWKW55YD6ZmHcJmQ2ZFu7jv75zyasHvx2O3yyRrfDI/edit
Don't have access to the doc.
We may check for the presence of the .gitignore file and check sensitive files like private keys formats and other are listed. Besides password/private key files, we can also add .bash_history
Note that Github's scanning is enabled by default for public repos.
There's also https://github.blog/2022-12-15-leaked-a-secret-check-your-github-alerts-for-free/, which shows a setting we could use.
This feature does not align with the current project focus. If there is no feedback in the next 7 days to the contrary, then this issue will be closed.
Keeping open as there was interest here: #3399
If this can also check for Snyk secret scanning, the output will be less noisy.
TAC requested adding secret scanning and push protection to the security baseline, ossf/tac#333. This check will be a super helpful verification and audit tool
A check that something like trufflehog (or other secret scanners) are running would be nice: