-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What kind of secret that ripsecrets can find out #31
Comments
the |
I investigated and a regression was recently introduced that didn't detect secrets assigned with the Even with that change though it still doesn't detect that as a secret though for 2 reasons:
|
To +1 Sherlock-Holo's original point though -- there's no easy way to tell what secrets e.g. I just tried dropping a yubikey string into a file and running ripsecrets and nothing came up. As it is the only way to understand what the program does and whether it's useful is to figure out how it works, where the files are, and then decipher the Rust + Regex. It's not ergonomic or safe to use if we don't know whether it can catch what we're trying to protect against. Seems like a very cool tool, but strangely opaque, given it's security focus. Again, awesome work -- but there are a lot of decisions and judgements and not much transparency. |
@ethanmsl I added a "How it works" section to the README to address your feedback: https://github.com/sirwart/ripsecrets#how-it-works. I hope it helps! |
I write a simple code like
and hope ripsecrets can tell me 'you hardcode the secret in source files', but there's nothing output
The text was updated successfully, but these errors were encountered: