Skip to content

feat: introduce enhanced secret scanning #6230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
May 13, 2025
Merged

feat: introduce enhanced secret scanning #6230

merged 13 commits into from
May 13, 2025

Conversation

aitchiss
Copy link
Contributor

@aitchiss aitchiss commented May 2, 2025
edited
Loading

🎉 Thanks for submitting a pull request! 🎉

Summary

Closes https://linear.app/netlify/issue/WRFL-2392/update-secret-scanning-to-be-more-generic

If BB sends enhancedSecretScan we conduct a minimal check on env var values that have prefixes known to indicate a private key. We'll likely expand on this in future for more sophisticated detection but it's just a first MVP.

For us to review and ship your PR efficiently, please perform the following steps:

  • Open a bug/issue before writing your code 🧑‍💻. This ensures
    we can discuss the changes and get feedback from everyone that should be involved. If you`re fixing a typo or
    something that`s on fire 🔥 (e.g. incident related), you can skip this step.
  • Read the contribution guidelines 📖. This ensures
    your code follows our style guide and passes our tests.
  • Update or add tests (if any source code was changed or added) 🧪
  • Update or add documentation (if features were changed or added) 📝
  • Make sure the status checks below are successful ✅

A picture of a cute animal (not mandatory, but encouraged)

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 2, 2025

This pull request adds or modifies JavaScript (.js, .cjs, .mjs) files.
Consider converting them to TypeScript.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 8, 2025

This pull request adds or modifies JavaScript (.js, .cjs, .mjs) files.
Consider converting them to TypeScript.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 8, 2025

This pull request adds or modifies JavaScript (.js, .cjs, .mjs) files.
Consider converting them to TypeScript.

aitchiss
aitchiss commented May 8, 2025
View reviewed changes
packages/build/src/plugins_core/secrets_scanning/utils.ts
* @param val env var value
* @returns boolean
*/
function isLikelySecretValue(val): boolean {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is pretty simplistic at the moment, but the idea is to catch the low-hanging fruit for now and build on it more later

@aitchiss aitchiss marked this pull request as ready for review May 8, 2025 10:15
@aitchiss aitchiss requested a review from a team as a code owner May 8, 2025 10:15
@aitchiss aitchiss requested review from pieh and mrstork May 8, 2025 10:16
@aitchiss aitchiss self-assigned this May 8, 2025
eduardoboucas
eduardoboucas previously approved these changes May 9, 2025
View reviewed changes
Copy link
Member

@eduardoboucas eduardoboucas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a few comments, but none are blockers.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 9, 2025

This pull request adds or modifies JavaScript (.js, .cjs, .mjs) files.
Consider converting them to TypeScript.

1 similar comment
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 9, 2025

This pull request adds or modifies JavaScript (.js, .cjs, .mjs) files.
Consider converting them to TypeScript.

pieh
pieh reviewed May 9, 2025
View reviewed changes
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 9, 2025

This pull request adds or modifies JavaScript (.js, .cjs, .mjs) files.
Consider converting them to TypeScript.

@aitchiss aitchiss requested review from eduardoboucas and pieh May 9, 2025 10:13
eduardoboucas
eduardoboucas previously approved these changes May 9, 2025
View reviewed changes
@github-actions GitHub Actions
Copy link
Contributor

This pull request adds or modifies JavaScript (.js, .cjs, .mjs) files.
Consider converting them to TypeScript.

@github-actions GitHub Actions
Copy link
Contributor

This pull request adds or modifies JavaScript (.js, .cjs, .mjs) files.
Consider converting them to TypeScript.

@github-actions GitHub Actions
Copy link
Contributor

This pull request adds or modifies JavaScript (.js, .cjs, .mjs) files.
Consider converting them to TypeScript.

1 similar comment
@github-actions GitHub Actions
Copy link
Contributor

This pull request adds or modifies JavaScript (.js, .cjs, .mjs) files.
Consider converting them to TypeScript.

@aitchiss aitchiss merged commit cd41d3b into main May 13, 2025
33 checks passed
@aitchiss aitchiss deleted the suzanne/wrfl-2392-update-secret-scanning-to-be-more-generic branch May 13, 2025 13:59
This was referenced May 13, 2025
Merged
Merged
@netlify-circleci netlify-circleci mentioned this pull request Jul 11, 2025
Closed
@netlify-circleci netlify-circleci mentioned this pull request Jul 31, 2025
Merged
This was referenced Aug 11, 2025
Closed
Merged
Closed
This was referenced Sep 2, 2025
Closed
Merged
This was referenced Sep 24, 2025
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eduardoboucas eduardoboucas eduardoboucas approved these changes

@mrstork mrstork Awaiting requested review from mrstork

@pieh pieh Awaiting requested review from pieh

Assignees

@aitchiss aitchiss

Labels
Adds or modifies js files
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aitchiss @pieh @eduardoboucas