-
Notifications
You must be signed in to change notification settings - Fork 944
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Gitleaks for secret scanning #1951
Conversation
Can you comment as to why secretlint was preferred over some of the alternatives? Personally, I am a fan of https://github.com/zricethezav/gitleaks |
@massongit @JonZeolla Both do seem to allow us to follow our standard of linting a single file at a time. Can you guys come to a consensus on which tool we should adopt? |
Thank you for your propose! |
I think it might be a good idea to use |
@massongit @JonZeolla Awesome guys, we can take this current PR and I can help catch the edges that are missed :) |
One thing to keep in mind is any of these tools can be really noisy and generate false positives. I suggest including a minimal, high fidelity configuration to start. I do a lot of tuning of these kind of tools in my day job so I'm happy to review/contribute to that part |
@massongit @JonZeolla Any help with the I think I got most of it done now for testing |
I removed secretlint related code. |
How about applying the default configuration ( https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml ) ? |
Fixes #1856
Proposed Changes
Gitleaks is a SAST tool for detecting hardcoded secrets.
We can notice the committed credentials by adding them as CI.
Readiness Checklist
Author/Contributor
Reviewing Maintainer
breaking
if this is a large fundamental changeautomation
,bug
,documentation
,enhancement
,infrastructure
, orperformance