Update stripe rule to not alert on publishable keys #1320
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Stripe does a weird thing with their secrets: they have publishable keys (PK) and secret keys (SK). These abbreviations are used as the prefix for the key material, e.g.,
pk_blahblahblah
andsk_blahblahblah
. The publishable key is deliberately not secret, and it's used to identify the client to their API. Confusingly named if you're in tech; usually pk means private key.This rule checks for both sk and pk, and it should only check for sk. I've updated it to reflect only
sk
values, which are actually secret.Checklist: