Code Security should check for content #201153
Replies: 5 comments
-
|
💬 Your Product Feedback Has Been Submitted 🎉 Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users. Here's what you can expect moving forward ⏩
Where to look to see what's shipping 👀
What you can do in the meantime 💻
As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities. Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐ |
Beta Was this translation helpful? Give feedback.
-
|
This is a false positive. Secret scanning is likely matching the private key pattern and not checking whether the value contains a real key. If the example is only placeholder text, it would be useful if the scanner could better distinguish templates from actual secrets or allow an easy way to mark safe examples. |
Beta Was this translation helpful? Give feedback.
-
|
See, Secret Scanning is very aggressive; it just runs a regex looking for the exact Try these, they work:
For the alert that is already stuck in your repository, just go to the Security tab and dismiss it as "Used in tests" or a "False Positive." GitHub actually uses those manual dismissals to train their scanner to be less trigger-happy with templates. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
🏷️ Discussion Type
Bug
💬 Feature/Topic Area
Secret scanning
Discussion Details
It flagged the line:
The key has no content; it is the example of the content that the variable should contain, but it has no actual key in it.
Beta Was this translation helpful? Give feedback.
All reactions