In my prior post, "Don't Leak 'em (your secrets)", I wrote about a defense-in-depth strategy for keeping secrets out of your repositories using tools to scan locally, scan on push at your Git provider, and scan post-push to catch secrets that your Git provider doesn't check for. In this post, I talk about custom secret patterns as a way to scan for secrets that are not covered by your Git provider scans, like GitHub's secret scanning.

Why custom secret support?

Whether you have your own proprietary secrets that your app uses, or you use secrets for an app or service that isn't supported by your Git provider's scanning support, you'll need to be able to configure custom patterns to scan for. Given the limited set of secrets supported by available scanners, you'll need support for custom secrets to be sure you're catching all of the secret types that you use.

Who has support for custom secrets?

  • GitHub — GitHub has a great partnership program that provides support for detecting and optionally invalidating secrets, but you can't define your own custom secret patterns.
  • Atomist — we provide custom secret support directly in the Secret Scanner skill configuration interface to make it easy to add and update custom patterns. Our Secret Scanner skill runs in the cloud, so you don't need to set up an environment to run it.
  • Open source — scanning tools like truffleHog or git-secrets let you define custom secrets, or what git-secrets calls providers.

Scanning for custom secrets with Atomist

You specify the secret pattern that you would like to scan for as a regular expression when you configure the Secret Scanner skill.

Define secret pattern

To test your new custom secret pattern scan, make a push containing a sample key to a repository that the Secret Scanner is configured to scan (see Repository scope in the skill settings). If the Secret Scanner detects the pattern, you'll get a GitHub Check run annotation like this on the commit in GitHub:

GitHub Check Run failure

You'll also find a log of the secret scan in the Atomist log.

Secret scan log

If you have the Slack or Microsoft Teams integration set up, you can get notifications as direct messages to you when you push a commit that matches a secret scan.

Slack direct message with secret detected alert

Up-level your scanning

Your own custom secrets are likely some of the most critical to protect. Start scanning for them with a simple regular expression pattern added to the Secret Scanner skill and get more peace of mind.

If you have questions or suggestions, let me know in our Atomist community Slack or @jryanday.