Investigate Secret Scanning for Public Repos #16
Description
UC3 recently had an incident where a secret (certificate key/pair) was not identified when being pushed to a public repo. Would like to understand why this was and understand secret scanning tools available to us, configuration options and how to operationalize this process in our workflows.
Organization Level Secret Management
https://github.com/orgs/CDLUC3/security/assessments - runs a scan across all repositories (seems to include private) every 3 months. High level overview of secrets detected, secrets leaked (from public repos) and # of leaks which could be prevented with push protection.
https://docs.github.com/en/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets - available to us on public repos
Private repos - Use alternative scanning: add a third‑party secret scanner in CI (git-secrets, truffleHog, detect-secrets, etc.) to block secrets in PRs and CI.
Secret categories
GitHub scans for many types of secrets: generic secrets, like passwords detected with Copilot, and provider secrets, which come from third-party services through GitHub's partner program — helping keep false positives low.