drush icon indicating copy to clipboard operation
drush copied to clipboard
verified publisher icon drush-ops

GitHub secret scanner detects `'google-custom-search-api-key' => 'AIzaSyDpE01VDNNT73s6CEeJRdSg5jukoG244ek'` as a problem secret

Open rfay opened this issue 1 year ago • 4 comments

Describe the bug

GitHub's secret scanner detects this as a secret:

public function fetch($search = null, $options = ['image-viewer' => 'open', 'google-custom-search-api-key' => 'AIzaSyDpE01VDNNT73s6CEeJRdSg5jukoG244ek']  

https://github.com/drush-ops/drush/blob/6a3f0cfe0abab49f42e83602469049506d75035d/examples/Commands/XkcdCommands.php#L25

It's probably private, but the scan alert is in

  • https://github.com/rfay/d11/security/secret-scanning/1

rfay avatar Sep 23 '24 11:09 rfay

That's ok. That code is not actually secret. If these alerts bother folks I suggest only scanning your customer code and not scanning dependencies.

weitzman avatar Sep 23 '24 11:09 weitzman

This isn't a manual scan, it's an automatic GitHub check on checkin of code. And yes, I check in vendor because I'm lazy.

I'm surprised they haven't been pestering you over and over.

rfay avatar Sep 23 '24 11:09 rfay

Is there a code comment which will disable scanning for this file or line?

weitzman avatar Oct 04 '24 12:10 weitzman

I guess this is something we have enabled, and it's a good idea

  • https://docs.github.com/en/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository

IMO just changing the content of the key to your-key-here might prevent the notification.

It's a great feature. I don't see a way to disable it for one line.

rfay avatar Oct 04 '24 12:10 rfay