Add Gitleaks for secret scanning #1951
Conversation
massongit
requested review from
admiralAwkbar,
ferrarimarco,
GaboFDC,
Hanse00,
jwiebalk,
nemchik and
zkoppert
as code owners
|
Can you comment as to why secretlint was preferred over some of the alternatives? Personally, I am a fan of https://github.com/zricethezav/gitleaks |
|
@massongit @JonZeolla Both do seem to allow us to follow our standard of linting a single file at a time. Can you guys come to a consensus on which tool we should adopt? |
|
Thank you for your propose! |
|
I think it might be a good idea to use |
|
@massongit @JonZeolla Awesome guys, we can take this current PR and I can help catch the edges that are missed :) |
admiralAwkbar
added
docker
|
One thing to keep in mind is any of these tools can be really noisy and generate false positives. I suggest including a minimal, high fidelity configuration to start. I do a lot of tuning of these kind of tools in my day job so I'm happy to review/contribute to that part |
|
@massongit @JonZeolla Any help with the I think I got most of it done now for testing |
massongit
changed the title
|
I removed secretlint related code. |
How about applying the default configuration ( https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml ) ? |
Fixes #1856
Proposed Changes
Gitleaks is a SAST tool for detecting hardcoded secrets.
We can notice the committed credentials by adding them as CI.
Readiness Checklist
Author/Contributor
Reviewing Maintainer
breakingif this is a large fundamental changeautomation,bug,documentation,enhancement,infrastructure, orperformance