inferno-chromium
commented
3 years ago Some examples from Google VRP program, see here - https://docs.google.com/document/d/10GWKW55YD6ZmHcJmQ2ZFu7jv75zyasHvx2O3yyRrfDI/edit
Open kimsterv opened 3 years ago
inferno-chromium
commented
3 years ago Some examples from Google VRP program, see here - https://docs.google.com/document/d/10GWKW55YD6ZmHcJmQ2ZFu7jv75zyasHvx2O3yyRrfDI/edit
naveensrinivasan
commented
3 years ago Some examples from Google VRP program, see here - https://docs.google.com/document/d/10GWKW55YD6ZmHcJmQ2ZFu7jv75zyasHvx2O3yyRrfDI/edit
Don't have access to the doc.
laurentsimon
commented
3 years ago We may check for the presence of the .gitignore file and check sensitive files like private keys formats and other are listed. Besides password/private key files, we can also add .bash_history
laurentsimon
commented
3 years ago Note that Github's scanning is enabled by default for public repos.
laurentsimon
commented
1 year ago There's also https://github.blog/2022-12-15-leaked-a-secret-check-your-github-alerts-for-free/, which shows a setting we could use.
afmarcum
commented
1 year ago This feature does not align with the current project focus. If there is no feedback in the next 7 days to the contrary, then this issue will be closed.
spencerschrock
commented
1 year ago Keeping open as there was interest here: #3399
lucasgonze
commented
8 months ago If this can also check for Snyk secret scanning, the output will be less noisy.
Danajoyluck
commented
3 months ago TAC requested adding secret scanning and push protection to the security baseline, ossf/tac#333. This check will be a super helpful verification and audit tool
A check that something like trufflehog (or other secret scanners) are running would be nice: