Naming is hard. We needed to have an image of something that is waiting for secrets to be trapped, and discovered, and as a result, "Lobster Pot" came to mind.
The purpose of this software is to scan all code pushed into one or more Github Organisations, to search for secrets, and report to Slack any findings.
It has been originally created by Etienne Stalmans and has been updated and maintained by the Platform Security Team.
It is actively used in various Github organisations under the Salesforce Enterprise plan.
It has been primarily designed to run on Heroku, but can be used on any platform that supports 12factor apps.
The app receives push event notifications from GitHub. Each push is reviewed and the commits within are scanned for possible secrets (such as passwords, AWS secret keys, API tokens etc).
When the scanning reveals findings, the application posts a message to a defined slack channel with the relevant details and triggers a manual review.
Those findings are also stored in the database for stats and reporting purposes.
The backend is written in Go, and is running on Heroku or any platform that supports 12factor apps. The detailed configuration is documented in the docs/configuration folder.
A Github App is installed in each organisation that is monitored. It provides organisation level webhooks, to send all push events to our app. The specific configuration can be found here.
A Slack app is installed in each Slack workspace in order to send notifications to the workspace. The specific configuration can be found here.
See the docs/configuration folder for the specifics.
At least one github organization and one slack app must be configured for the app to start properly.