| > Or is that nonsense? Yes, that is nonsense. 1) secret scanning can be disabled (not even sure it's enabled by default).
2) the regexes are fairly specific, length limited, etc.
3) github is obviously reviewing regexes that are accepted. Check the list of stuff supported:
https://docs.github.com/en/code-security/secret-scanning/sec... A bit sad, they don't publish the list of regexes, etc. -------------- I added a similar thing to the package manager for Dart / Flutter, because we saw users accidentally publishing secrets. That code is public, it relies on regexes and entropy estimation: https://github.com/dart-lang/pub/blob/eb8ee21a089ebe0f2c2dd8... It was heavily inspired by the researchers in:
https://www.ndss-symposium.org/wp-content/uploads/2019/02/nd... Worth a read, and certainly provides motivation for Github to do this kind of work :D (disclosure: I work for Google. The opinions stated here are my own) |
It's really tiring that people correct other people's misinformation when they themselves haven't read the bold bullets points in "Learn more about secret scanning"[3] and end up totally missing the point.
[1] https://news.ycombinator.com/item?id=34067335
[2] https://news.ycombinator.com/item?id=34067625
[3] https://docs.github.com/en/code-security/secret-scanning/abo...