Secret scanning artifacts #106716
Replies: 3 comments 1 reply
-
Implement pre-upload checks, CI/CD integration, and enforce policies. |
Beta Was this translation helpful? Give feedback.
-
Yes, there are several approaches and tools you can use to scan uploaded artifacts for secrets and sensitive information. One common approach is to integrate secret scanning into your CI/CD pipeline or artifact repository. Here are some steps you can take: Static Analysis Tools: Utilize static code analysis tools that are specifically designed to scan code and configuration files for secrets. Examples include TruffleHog, GitLeaks, and Gitleaks. Custom Scripts: Develop custom scripts or plugins tailored to your specific needs and environment to scan artifacts for secrets. These scripts can be integrated into your CI/CD pipeline to automatically scan artifacts upon upload. Pre-Commit Hooks: Implement pre-commit hooks in your version control system to prevent developers from committing code or configuration files that contain secrets. These hooks can trigger secret scanning before the code is even committed. CI/CD Integration: Integrate secret scanning directly into your CI/CD pipeline. For example, you can configure your CI/CD tool (such as Jenkins, GitLab CI/CD, or GitHub Actions) to automatically scan artifacts for secrets as part of the build or deployment process. Artifact Repository Policies: Set up policies within your artifact repository to block or flag artifacts that contain secrets. Many artifact repositories offer customizable policies and access controls that you can leverage to enforce security measures. Manual Review: While not automated, manual review by security personnel or designated reviewers can also be an effective way to identify and remove secrets from artifacts before they are deployed. By implementing one or a combination of these approaches, you can help ensure that sensitive information is not inadvertently included in your artifacts, promoting better security practices within your development teams. Please markt his as a valid answer if this helps you. |
Beta Was this translation helpful? Give feedback.
-
Hey, I'm on the secret scanning team. Extending the product to other areas like this is definitely on our radar, but it's a long list of things to support. Right now we're tackling wikis, after having brought support to issues & PRs. |
Beta Was this translation helpful? Give feedback.
-
Select Topic Area
Question
Body
Is there support for secret scanning in uploaded artifacts? For instance, we want to make sure that an configuration file isn't added to an artifact with secrets. The best practice we want teams to follow is to apply the secrets at deploy time. Though you know those developers, always doing what they shouldn't. 😉
Beta Was this translation helpful? Give feedback.
All reactions