In my prior post, "Don't Leak 'em (your secrets)", I wrote about a defense-in-depth strategy for keeping secrets out of your repositories using tools to scan locally, scan on push at your Git provider, and scan post-push to catch secrets that your Git provider doesn't check for. In this post, I talk about custom secret patterns as a way to scan for secrets that are not covered by your Git provider scans, like GitHub's secret scanning.
Why custom secret support?
Whether you have your own proprietary secrets that your app uses, or you use secrets for an app or service that isn't supported by your Git provider's scanning support, you'll need to be able to configure custom patterns to scan for. Given the limited set of secrets supported by available scanners, you'll need support for custom secrets to be sure you're catching all of the secret types that you use.
Who has support for custom secrets?
- GitHub — GitHub has a great partnership program that provides support for detecting and optionally invalidating secrets, but you can't define your own custom secret patterns.
- Atomist — we provide custom secret support directly in the Secret Scanner skill configuration interface to make it easy to add and update custom patterns. Our Secret Scanner skill runs in the cloud, so you don't need to set up an environment to run it.
- Open source — scanning tools like truffleHog or git-secrets let you define custom secrets, or what git-secrets calls providers.
Scanning for custom secrets with Atomist
You specify the secret pattern that you would like to scan for as a regular expression when you configure the Secret Scanner skill.
To test your new custom secret pattern scan, make a push containing a sample key to a repository that the Secret Scanner is configured to scan (see Repository scope in the skill settings). If the Secret Scanner detects the pattern, you'll get a GitHub Check run annotation like this on the commit in GitHub:
You'll also find a log of the secret scan in the Atomist log.
Up-level your scanning
Your own custom secrets are likely some of the most critical to protect. Start scanning for them with a simple regular expression pattern added to the Secret Scanner skill and get more peace of mind.
Get the knowledge and inspiration you need to do your best work and deliver great software.