[jewel]

If vendors agreed to a common prefix on all secret key values then it'd be easy for everyone to add checks, to everything. Something like "_SECRET88_".

Of course, then your secret key checker would need to build that string by concatenating so that it wouldn't set off itself.

[zricethezav]

More and more providers have been adding unique prefixes to their tokens and access keys which makes detection much easier. Ex, GitLab adds `glpat-` to their PAT.

A project I maintain, Gitleaks, can easily detect "unique" secrets and does a pretty good job at detecting "generic" secrets too. In this case, the generic gitleaks rule would have caught the secrets [1]. You can see the full rule definition here [2] and how the rule is constructed here [3].

[1] https://regex101.com/r/CLg9TK/1

[2] https://github.com/zricethezav/gitleaks/blob/master/config/g...

[3] https://github.com/zricethezav/gitleaks/blob/master/cmd/gene...

[remram]

RFC 8959 registered the 'secret-token:' prefix / URI scheme.

https://www.rfc-editor.org/rfc/rfc8959.html

[pitched]

How about scanning for any string with high entropy? Might be easier to get buy-in if we don’t all have to bike-shed over what the prefix is.

[CoffeeOnWrite]

That’s helpful but the token prefixes are also helpful. You might be interested in GitHub’s reasoning at https://github.blog/2021-04-05-behind-githubs-new-authentica...