New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scan for leaked credentials in PRs and code diff using TruffleHog OSS 馃惙 #414
Comments
@abinash2512 - want to take this one on? |
@abinash2512 - I've updated the scope of this ticket to include:
|
@maoo - after our community discussion today, we recognised that TruffleHog uses the AGPL-3.0 license. Do you think this would be a problem running it as a status check when pull requests are opened? @coopernetes mentioned that running it as an embeddable plugin or assessment layer in Git Proxy itself may be problematic but wanted to see what you think about running it as a GitHub Action? |
Yes, I believe so; there are actually 2 things that concern me:
I can seek legal advice, though it could take some time.
I think that leaked credentials is a crucial use case for GitProxy, and we should provide it as a plugin that adheres to the GitProxy 2.x architecture. I also think that we should consider evaluating TruffleHog alternatives; from a quick seach I found https://github.com/GitGuardian , but I'm sure there are way more. |
Although GitHub's native secret detection is in place, there are various ways secrets can end up in files and commits. Plus, an extra layer of protection never hurts! 馃憤
To ensure the capture of leaked credentials, an assessment should occur at the pull request level, with PRs blocked if TruffleHog returns any results. Moreover, pull requests should only be mergeable if TruffleHog returns empty.
Tasks
The text was updated successfully, but these errors were encountered: