Secret scanning artifacts

[smokedlinq]

Select Topic Area

Question

Body

Is there support for secret scanning in uploaded artifacts? For instance, we want to make sure that an configuration file isn't added to an artifact with secrets. The best practice we want teams to follow is to apply the secrets at deploy time. Though you know those developers, always doing what they shouldn't. 😉

[90th]

Implement pre-upload checks, CI/CD integration, and enforce policies.

[krabelize]

Yes, there are several approaches and tools you can use to scan uploaded artifacts for secrets and sensitive information. One common approach is to integrate secret scanning into your CI/CD pipeline or artifact repository. Here are some steps you can take:

Static Analysis Tools: Utilize static code analysis tools that are specifically designed to scan code and configuration files for secrets. Examples include TruffleHog, GitLeaks, and Gitleaks.

Custom Scripts: Develop custom scripts or plugins tailored to your specific needs and environment to scan artifacts for secrets. These scripts can be integrated into your CI/CD pipeline to automatically scan artifacts upon upload.

Pre-Commit Hooks: Implement pre-commit hooks in your version control system to prevent developers from committing code or configuration files that contain secrets. These hooks can trigger secret scanning before the code is even committed.

CI/CD Integration: Integrate secret scanning directly into your CI/CD pipeline. For example, you can configure your CI/CD tool (such as Jenkins, GitLab CI/CD, or GitHub Actions) to automatically scan artifacts for secrets as part of the build or deployment process.

Artifact Repository Policies: Set up policies within your artifact repository to block or flag artifacts that contain secrets. Many artifact repositories offer customizable policies and access controls that you can leverage to enforce security measures.

Manual Review: While not automated, manual review by security personnel or designated reviewers can also be an effective way to identify and remove secrets from artifacts before they are deployed.

By implementing one or a combination of these approaches, you can help ensure that sensitive information is not inadvertently included in your artifacts, promoting better security practices within your development teams.

Please markt his as a valid answer if this helps you.

[smokedlinq]

Not quite what I'm looking for, more so the GitHub Advanced Security secret scanning but for artifacts, packages would be nice as well. We have scenarios where teams have sometimes created environment specific configuration files and upload them in the artifacts to use in a later job, even though our practices/policies indicate not to do that and to tokenize the configuration in the job deploying it. This is similar to simple mistakes developers make by putting secrets in commits by accident and secret scanning catching that. Same simple capability, but for artifacts that are being created in workflows.

[aashah]

Hey, I'm on the secret scanning team. Extending the product to other areas like this is definitely on our radar, but it's a long list of things to support. Right now we're tackling wikis, after having brought support to issues & PRs.