detect-secrets
detect-secrets copied to clipboard
Most secrets are not detected
I'm running detect-secrets
on the following file (these are fake values):
env:
PASSWORD: dY^5Ke76gdSiF
OPSGENIE_API_KEY: oov9e5e9-3ccb-20c3-1097-74gyye7tx42q
OPSGENIE_API_KEY_URL: https://api.opsgenie.com/v1/json/cloudwatch?apiKey=182663ax-3ccb-20c3-1097-3ol15d0wfu45
SLACK_WEBHOOK: https://hooks.slack.com/services/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
SLACK_API_KEY: xoxb-8825133122-0721161319009-2cmV8RhmMaFzb7NyFjXZNfgO
OKTA_CLIENT_ID: cjjg9h0C61FPeOmmmAmz
ANODOT_TOKEN: uvqcblfxi1d3ohvwjftgb59e3mba1x98
GITHUB_TOKEN: 1mlcyz92suir2qzfimaeekzb1goo5lveam15hebm
When running with the KeywordDetector
plugin disabled, only the SLACK_API_KEY
value is detected, and not even by the slack plugin:
ERROR: Potential secrets about to be committed to git repo!
Secret Type: Base64 High Entropy String
Location: test.yaml:6
What should be configured in order for these secrets to be detected? Why are the slack secrets not detected by the slack plugin?
Thanks
Same here happening with release.
0.14.3 detects some of them by keyword
plugin
{
"hashed_secret": "dc9b6de4a6f71ef9c1131393b1bb64e050292d72",
"is_verified": false,
"line_number": 2,
"type": "Secret Keyword"
},
{
"hashed_secret": "feb4b6644b66d1e591bb96fb42bc4e06ce2fa65a",
"is_verified": false,
"line_number": 3,
"type": "Secret Keyword"
},
{
"hashed_secret": "9ed75184449b25a4a079f884b8aacbd47516e4a3",
"is_verified": false,
"line_number": 4,
"type": "Secret Keyword"
},
{
"hashed_secret": "64a20535ff4cf3a34c0b4ab9fdc09b77db62ed89",
"is_verified": false,
"line_number": 6,
"type": "Secret Keyword"
}
seems that 1.x got weaker by default for api-keys & passwords case
We're hitting the same problem.
This secret is not detected:
env:
APIKEY: 550e7956f012f471d91a126c635add67
This secret is detected:
env:
APIKEY: "550e7956f012f471d91a126c635add67"
If I scan the string directly, the HexHighEntropyString plugin detects it:
$ detect-secrets scan --string 550e7956f012f471d91a126c635add67
AWSKeyDetector : False
ArtifactoryDetector : False
AzureStorageKeyDetector: False
Base64HighEntropyString: False (3.64)
BasicAuthDetector : False
CloudantDetector : False
DiscordBotTokenDetector: False
GitHubTokenDetector : False
HexHighEntropyString : True (3.64)
IbmCloudIamDetector : False
IbmCosHmacDetector : False
JwtTokenDetector : False
KeywordDetector : False
MailchimpDetector : False
NpmDetector : False
PrivateKeyDetector : False
SendGridDetector : False
SlackDetector : False
SoftlayerDetector : False
SquareOAuthDetector : False
StripeDetector : False
TwilioKeyDetector : False
Any idea why the secret is not detected in the file when not quoted?