-
Notifications
You must be signed in to change notification settings - Fork 481
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate when valid high-entropy secrets do not have quotes (outside of yaml/ini files) #203
Labels
false negatives
help wanted
Indicates that we would like someone that’s not a maintainer to work on the issue.
triaged
The issue has been reviewed but has not been solved yet.
Comments
In the interest of transparency, I've only found 1 secret like this and it was in a file that did not have an extension and was autogenerated. I believe we do find high-entropy secrets without quotes in valid Yaml or ini files, as shown in |
KevinHock
changed the title
Investigate when valid high-entropy secrets do not have quotes
Investigate when valid high-entropy secrets do not have quotes (outside of yaml/ini files)
Jul 10, 2019
killuazhu
pushed a commit
to IBM/detect-secrets
that referenced
this issue
May 28, 2020
killuazhu
pushed a commit
to IBM/detect-secrets
that referenced
this issue
Jul 9, 2020
killuazhu
pushed a commit
to IBM/detect-secrets
that referenced
this issue
Sep 17, 2020
Supports git-defenders/detect-secrets-discuss#190 DB2 Verification (Yelp#196) Supports git-defenders/detect-secrets-discuss#190 Use DB2 detector (Yelp#199) Supports git-defenders/detect-secrets-discuss#190 Refactor DB2 verification for calling externally (Yelp#203) Supports fixing bug [here](https://github.ibm.com/git-defenders/detect-secrets-stream/blob/master/detect_secrets_stream/validation/db2.py#L25) Catch DB2 hostname, port, database from connection url (Yelp#209) Supports git-defenders/detect-secrets-discuss#212 Timeout DB2 detector if it takes too long (Yelp#214)
lorenzodb1
added
pending
The issue still needs to be reviewed by one of the maintainers.
and removed
accuracy
labels
Jun 13, 2022
lorenzodb1
added
help wanted
Indicates that we would like someone that’s not a maintainer to work on the issue.
selected
The issue has been selected to be worked on.
and removed
pending
The issue still needs to be reviewed by one of the maintainers.
labels
May 9, 2024
This could be addressed by #697. |
lorenzodb1
added
triaged
The issue has been reviewed but has not been solved yet.
and removed
selected
The issue has been selected to be worked on.
labels
May 16, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
false negatives
help wanted
Indicates that we would like someone that’s not a maintainer to work on the issue.
triaged
The issue has been reviewed but has not been solved yet.
There is the very rare valid secret in the form of
or just
etc.
where there are no quotes. We currently require quotes for high-entropy secrets, which is a sensible thing IMO, since it is one of the noisier plugin classes already.
I am not saying it is worth the increase in false-positives to catch these in general, simply that we should (a) add some documentation around it, and/or (b) investigate a more sophisticated approach than if we were to just remove the quote requirement all together, if feasible, i.e. handle the special cases where we might come across it. 🤔
I'd love to hear about if anyone else has encountered a valid secret of this form, and what the secret was, so that we could discuss possible solutions.
The text was updated successfully, but these errors were encountered: