I have a secret in my main.tf file
provider "github" {
token = "jAMQrk2fwYNs" # demo secret - not real don't worry
organization = "PersonalProjects"
}
My .github/workflows/secret-scanning.yml
file looks like the following
name: Run detect-secrets with reviewdog
run-name: Detect Secrets
on:
push:
branches:
- main
jobs:
secrets-check:
runs-on: ubuntu-latest
name: check for secrets
steps:
- uses: actions/checkout@v2
- name: Run detect-secrets with reviewdog
uses: reviewdog/[email protected]
reviewdog/action-detect-secrets
runs detect-secrets
(https://github.com/Yelp/detect-secrets) under the hood.
After installing detect-secrets
, you can check the list of plugins it uses:
$ detect-secrets --version
1.4.0
$ detect-secrets scan --list-all-plugins
ArtifactoryDetector
AWSKeyDetector
AzureStorageKeyDetector
BasicAuthDetector
CloudantDetector
DiscordBotTokenDetector
GitHubTokenDetector
Base64HighEntropyString
HexHighEntropyString
IbmCloudIamDetector
IbmCosHmacDetector
JwtTokenDetector
KeywordDetector
MailchimpDetector
NpmDetector
PrivateKeyDetector
SendGridDetector
SlackDetector
SoftlayerDetector
SquareOAuthDetector
StripeDetector
TwilioKeyDetector
For your scenario, GitHubTokenDetector
is being used.
You can look at its implementation here:
# ...
class GitHubTokenDetector(RegexBasedDetector):
"""Scans for GitHub tokens."""
secret_type = 'GitHub Token'
denylist = [
# ref. https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/
re.compile(r'(ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36}'),
]
You can observe the regex being used here. For detection, the token should start with these prefixes and its total length should be 40 characters.
ghp
for GitHub personal access tokensgho
for OAuth access tokensghu
for GitHub user-to-server tokensghs
for GitHub server-to-server tokensghr
for refresh tokensSee Behind GitHub’s new authentication token formats for more details.
As an example, I used this sample main.tf
file with multiple dummy tokens (generated using base64
and sha1sum
utilities; also edited to add some random alphabets):
provider "github" {
token1 = "ghp_MabcfMTIzZHVtbXl0b2tlbjEyMzEyMzEyMwo="
token2 = "ghr_MTIabceIzZHVtbXl0b2tlbjEyMzEyMzEyMwo="
token3 = "accf30ed92f4c139e9ea2d255e4c8606fbca2651"
}
Here's the output (only the results
JSON subobject):
$ detect-secrets scan --all-files | jq '.results'
{
"main.tf": [
{
"type": "GitHub Token",
"filename": "main.tf",
"hashed_secret": "e175c6f5f2a92e8623bd9a4820edb4e8c1b0fd10",
"is_verified": false,
"line_number": 2
},
{
"type": "GitHub Token",
"filename": "main.tf",
"hashed_secret": "81c9f106f028bebcb41c013254854d7c6a1c4319",
"is_verified": false,
"line_number": 3
},
{
"type": "Hex High Entropy String",
"filename": "main.tf",
"hashed_secret": "6f27f9643e7fd0b969a1c77ee3b0c23351d039c4",
"is_verified": false,
"line_number": 4
}
]
}
So, you need to provide tokens that fulfill the detection criteria.