-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secret Detected in README #195
Comments
can you change it to |
Sure thing: #196 |
@gr2m It seems it's still detected by Github Secret Scanning: |
Okay, lets replace all the |
Sure, if that's what you want. If you prefer to keep a real looking secret in the examples, there may be one that doesn't trigger secret scanning. If you have a contact on the Github Advanced Security team, they may be able to provide some insight. |
yes I'll do that, too :) But all the shown tokens have a different format now, so I'll have to update them anyway. I'd iterate on it, lets unblock you first, then I'll update it again once GitHub gets back to me |
Ah, nice! In that case, I'm fine holding off. This isn't a pressing issue on our side. |
closing in favor of #197 then |
The new format of GitHub tokens uses a 32-bit checksum in the last 6 digits of each token; this means that when we scan for GitHub tokens, we can check that the token input matches the checksum and eliminate fake tokens. In this case, you can use the checksum to generate an example token that we do not alert on. |
Hello 👋
In the README on this repo, there is a string that Github Secret Scanning detects as a secret:
I expect this secret is either no longer valid or entirely fake, and so isn't a security concern. However, it does create an alert whenever someone vendors a version of this repo into their codebase.
Can this be modified so as to not trigger Github Secret Scanning somehow? I would propose a PR, but I'm not sure of the exact regex being used to detect Github App Installation Access Tokens.
Thank you!
The text was updated successfully, but these errors were encountered: