-
Notifications
You must be signed in to change notification settings - Fork 448
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support url-safe base64 secrets #245
Changes from 8 commits
e10b9a3
de2cbd8
d61baab
e1fa566
0c9e97e
ab78151
3d0dc36
2cfea37
0115efd
b402f51
ece342b
488334f
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
credentials: | ||
some_value_here: not_a_secret | ||
some_value_here: not_secret | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Was this necessary b/c the entropy calculation with the new chars alerted on There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yeah, I don't think we need to be too concerned though because we now have the wordlist filtering. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm more concerned that, we'll have large diffs in baseline's when people update detect-secrets. This isn't as concerning as changing a secret type like we did in #26, (where all old secrets were removed and re-added), but it is a little, especially if it reduces TP's to some extent. (We'll see what the data says though, I can't really say how it'll effect signal.) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why will we have large diffs? A lot of new secrets? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If all the e.g. |
||
other_value_here: 1234567890a | ||
CanonicalUserGetSkippedByExcludeLines: 1234567890ab | ||
nested: | ||
|
@@ -11,5 +11,7 @@ list_of_keys: | |
- 234567890a | ||
|
||
test_agent::allowlisted_api_key: 'ToCynx5Se4e2PtoZxEhW7lUJcOX15c54' # pragma: allowlist secret | ||
|
||
high_entropy_binary_secret: !!binary MjNjcnh1IDJieXJpdXYyeXJpaTJidnl1MnI4OXkyb3UwMg== | ||
|
||
# this should be ignored as a potential id | ||
allowlisted_id: 'ToCynx5Se4e2PtoZxEhW7lUJcOX15c54' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We might be able to do
_id
, we'll see what the data says though.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess it depends on whether we want to ignore keys like
BusinessId
. I think at Yelp this isn't likely but it's probably more likely incamelCase
language repos.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a good point, we do have a lot of python biases.