You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Storyblok detector alerts on access tokens (which are tied to a Storyblok space), but not personal access tokens that access the Storyblok Management API. The REGEX for the personal access tokens is different than the CDN keys.
Suggested Improvements
Update the existing verification check to exclude "Public" access tokens from being marked as valid, since these are meant to be exposed client-side and are not secrets.
There is an argument to be made that "Preview" access tokens should remain private, though the impact is probably not that great, so I believe those should continue to be considered secrets.
There are two other new access token types: "Theme" and "Asset". I'm unclear as to whether they should be considered a secret or not and the Storyblok docs aren't updated yet with details.
Add a new detector for the Storyblock Management API key type. Maybe it's just the same detector with a separate REGEX and a field in extra_data indicating that it's for a different service within Storyblok. These keys have the largest impact.
The text was updated successfully, but these errors were encountered:
Actual Behavior
The Storyblok detector alerts on access tokens (which are tied to a Storyblok space), but not personal access tokens that access the Storyblok Management API. The REGEX for the personal access tokens is different than the CDN keys.
Suggested Improvements
extra_data
indicating that it's for a different service within Storyblok. These keys have the largest impact.The text was updated successfully, but these errors were encountered: