Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support GitHub Secret Scanning #1196

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Support GitHub Secret Scanning #1196

wants to merge 2 commits into from
+9 −2

Conversation

houllette
Copy link

Changes in this PR are in order to support the Secrets Scanning Partner Program from GitHub.

The most notable change found within is that newly generated user_secrets will now prepend hexpm_ to the base16 encoded strings. e.g. hexpm_316e6532776f3368726565

Other changes are just to support the GitHub webhooks for the Secret Scanning flow.

@ericmj
Copy link
Member

ericmj commented Apr 16, 2024

Hi @houllette! Are you interested in picking up this PR again?

@houllette
Copy link
Author

Hey! I would love to contribute to this more, but I cannot confirm when/if I have the time at the moment - if there is some desire to get this work going by someone else; by all means run with it! I'll be happy just to have been able to cast some light on the feature add 🙂

@supersimple
Copy link
Member

Note for continued work on this feature:
image

Once we've committed to this pattern for keys, we need to email github with the pattern

@supersimple
Copy link
Member

The regexp to submit, based on the code in this PR is: /^hexpm_[0-9a-f]{32}$/

@supersimple
Copy link
Member

hi @houllette - I moved (and continued work) in a different branch that is committed to this repo supersimple/github-secret-scanning
If you want to continue work, let's use that branch since we can both contribute.
I have done my best to leave notes on the parts that are WIP, but also ask questions here if you have any.

Thanks

@ericmj
Copy link
Member

ericmj commented Jun 8, 2024

We are considering using JWTs for some tokens in the future. Are these compatible with the secret scanning program since they do not allow adding a prefix such as hexpm_ without breaking the spec afaict?

@supersimple
Copy link
Member

We are considering using JWTs for some tokens in the future. Are these compatible with the secret scanning program since they do not allow adding a prefix such as hexpm_ without breaking the spec afaict?

well, yes. JWTs couldn't use a prefix. Also, one reason to use JWTs are their short TTLs, so I don't think the GH secret scanning would be of much help.

@houllette
Copy link
Author

@ericmj could you help me understand the intended usage of JWTs in the future? While they would have a shorter TTL in the event of a leakage - unfortunately they would still be usable until that point.

I've had to go down the path of revoking JWTs before and it's not a particularly fun one, but it depends on the use case.

@ericmj
Copy link
Member

ericmj commented Jun 9, 2024

We want to use JWTs to be able to do authentication at the edge/CDN. Right now every request for a private package also hits our API which is bad for scaling reasons. A possible solution for this would be to hit the API once to generate a JWT and use that for later repository/package requests.

Users may want to move this JWT around depending on their CI setup which could leak it in output but it's probably unlikely it would be committed to a repo.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@houllette @ericmj @supersimple