Secret Detected in README

[RexBelli]

Hello 👋
In the README on this repo, there is a string that Github Secret Scanning detects as a secret:

createTokenAuth("v1.d3d433526f780fbcc3129004e2731b3904ad0b86");

I expect this secret is either no longer valid or entirely fake, and so isn't a security concern. However, it does create an alert whenever someone vendors a version of this repo into their codebase.

Can this be modified so as to not trigger Github Secret Scanning somehow? I would propose a PR, but I'm not sure of the exact regex being used to detect Github App Installation Access Tokens.

Thank you!

[gr2m]

can you change it to v1.1234567890abcdef1234567890abcdef12345678? The secret scanning will run on the pull request so we should find out if it triggers or not

[RexBelli]

Sure thing: #196

[RexBelli]

@gr2m It seems it's still detected by Github Secret Scanning:

[gr2m]

Okay, lets replace all the 1234567890abcdef1234567890abcdef12345678 strings with secret. Would you like to send another PR for that?

[RexBelli]

Sure, if that's what you want. If you prefer to keep a real looking secret in the examples, there may be one that doesn't trigger secret scanning. If you have a contact on the Github Advanced Security team, they may be able to provide some insight.

[gr2m]

yes I'll do that, too :) But all the shown tokens have a different format now, so I'll have to update them anyway. I'd iterate on it, lets unblock you first, then I'll update it again once GitHub gets back to me

[RexBelli]

Ah, nice! In that case, I'm fine holding off. This isn't a pressing issue on our side.

[gr2m]

closing in favor of #197 then

[15MariamS]

The new format of GitHub tokens uses a 32-bit checksum in the last 6 digits of each token; this means that when we scan for GitHub tokens, we can check that the token input matches the checksum and eliminate fake tokens.

In this case, you can use the checksum to generate an example token that we do not alert on.