Hacker News new | ask | show | jobs
by Everdred2dx 406 days ago
How would you scan for your api keys on repos outside of your organization? I assumed this was a dev’s personal repo.
4 comments
kalkin 406 days ago
https://docs.github.com/en/code-security/secret-scanning/sec... is one option
link
Everdred2dx 405 days ago
Neat. Thanks!
link
squigz 406 days ago
Well 1 option is the service from TFA.

https://www.gitguardian.com/monitor-internal-repositories-fo...

link
mcdwayne 405 days ago
This was on public GitHub, which anyone can scan for anything. Their API is a firehose you can consume: https://api.github.com/events

GitGuardian's public report on secrets sprawl talks about their methodology of scanning any commit https://www.gitguardian.com/state-of-secrets-sprawl-report-2...

link
romellem 406 days ago
The company I work for does this. I recently pushed an update to a personal repo that just contained a keyword match (the push included a dictionary.txt file which happened to include the company name) which flagged a review.
link