ReviewDog Secrets Not Detecting TF Secrets

Question

I have a secret in my main.tf file

provider "github" {
  token = "jAMQrk2fwYNs" # demo secret - not real don't worry
  organization = "PersonalProjects"
}

My .github/workflows/secret-scanning.yml file looks like the following

name: Run detect-secrets with reviewdog
run-name: Detect Secrets
on:
  push:
    branches:
      - main

jobs:
  secrets-check:
    runs-on: ubuntu-latest
    name: check for secrets
    steps:
      - uses: actions/checkout@v2
      - name: Run detect-secrets with reviewdog
        uses: reviewdog/[email protected]

Why doesn't my github action fail?

Answer 1

reviewdog/action-detect-secrets runs detect-secrets (https://github.com/Yelp/detect-secrets) under the hood.

After installing detect-secrets, you can check the list of plugins it uses:

$ detect-secrets --version
1.4.0

$ detect-secrets scan --list-all-plugins
ArtifactoryDetector
AWSKeyDetector
AzureStorageKeyDetector
BasicAuthDetector
CloudantDetector
DiscordBotTokenDetector
GitHubTokenDetector
Base64HighEntropyString
HexHighEntropyString
IbmCloudIamDetector
IbmCosHmacDetector
JwtTokenDetector
KeywordDetector
MailchimpDetector
NpmDetector
PrivateKeyDetector
SendGridDetector
SlackDetector
SoftlayerDetector
SquareOAuthDetector
StripeDetector
TwilioKeyDetector

For your scenario, GitHubTokenDetector is being used.

You can look at its implementation here:

# ...

class GitHubTokenDetector(RegexBasedDetector):
    """Scans for GitHub tokens."""
    secret_type = 'GitHub Token'

    denylist = [
        # ref. https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/
        re.compile(r'(ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36}'),
    ]

You can observe the regex being used here. For detection, the token should start with these prefixes and its total length should be 40 characters.

• ghp for GitHub personal access tokens
• gho for OAuth access tokens
• ghu for GitHub user-to-server tokens
• ghs for GitHub server-to-server tokens
• ghr for refresh tokens

See Behind GitHub’s new authentication token formats for more details.

---

As an example, I used this sample main.tf file with multiple dummy tokens (generated using base64 and sha1sum utilities; also edited to add some random alphabets):

provider "github" {
  token1 = "ghp_MabcfMTIzZHVtbXl0b2tlbjEyMzEyMzEyMwo="
  token2 = "ghr_MTIabceIzZHVtbXl0b2tlbjEyMzEyMzEyMwo="
  token3 = "accf30ed92f4c139e9ea2d255e4c8606fbca2651"
}

Here's the output (only the results JSON subobject):

$ detect-secrets scan --all-files | jq '.results'
{
  "main.tf": [
    {
      "type": "GitHub Token",
      "filename": "main.tf",
      "hashed_secret": "e175c6f5f2a92e8623bd9a4820edb4e8c1b0fd10",
      "is_verified": false,
      "line_number": 2
    },
    {
      "type": "GitHub Token",
      "filename": "main.tf",
      "hashed_secret": "81c9f106f028bebcb41c013254854d7c6a1c4319",
      "is_verified": false,
      "line_number": 3
    },
    {
      "type": "Hex High Entropy String",
      "filename": "main.tf",
      "hashed_secret": "6f27f9643e7fd0b969a1c77ee3b0c23351d039c4",
      "is_verified": false,
      "line_number": 4
    }
  ]
}

So, you need to provide tokens that fulfill the detection criteria.