From 1fe9a6ee0fa4bc0f99422c969608fded9a3d0b70 Mon Sep 17 00:00:00 2001 From: Rachael Sewell Date: Mon, 12 Aug 2024 17:08:48 -0700 Subject: [PATCH] add secret scanning footnote (#51951) Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> Co-authored-by: Felicity Chapman --- .../supported-secret-scanning-patterns.md | 12 +++++++----- src/secret-scanning/data/public-docs-schema.js | 2 +- src/secret-scanning/middleware/secret-scanning.ts | 3 +++ 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md index fe5552fc1f..ef71f6e4fd 100644 --- a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md @@ -44,12 +44,8 @@ This table lists the secrets supported by {% data variables.product.prodname_sec * Applies to private repositories where {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} are enabled. * Includes high confidence tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which often result in false positives.{% else %} Applies to private repositories where {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} enabled.{% endif %}{% endif %} * **Push protection**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}. Applies to repositories with {% data variables.product.prodname_secret_scanning %} and push protection enabled. - {% note %} - **Note:** {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." - - {% endnote %} -* **Validity check**—token for which a validity check is implemented. {% ifversion secret-scanning-validity-check-partner-patterns %}For partner tokens, {% data variables.product.prodname_dotcom %} sends the token to the relevant partner. Note that not all partners are based in the United States. For more information, see "[{% data variables.product.prodname_advanced_security %}](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security)" in the Site Policy documentation.{% else %} {% ifversion ghes %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens.{% endif %} {% ifversion fpt %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens, and not shown in the table. For more information about validity check support see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %}{% endif %} +* **Validity check**—token for which a validity check is implemented. {% ifversion secret-scanning-validity-check-partner-patterns %}For partner tokens, {% data variables.product.prodname_dotcom %} sends the token to the relevant partner. Note that not all partners are based in the United States. For more information, see "[{% data variables.product.prodname_advanced_security %}](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security)" in the Site Policy documentation.{% else %} {% ifversion ghes %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens.{% endif %} {% ifversion fpt %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens, and not shown in the table. For more information about validity check support see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %}{% endif %} {% ifversion secret-scanning-non-provider-patterns %} @@ -107,6 +103,12 @@ This table lists the secrets supported by {% data variables.product.prodname_sec {% endif %} +#### Token versions + + + +Service providers update the patterns used to generate tokens periodically and may support more than one version of a token. Push protection only supports the most recent token versions that {% data variables.product.prodname_secret_scanning %} can identify with confidence. This avoids push protection blocking commits unnecessarily when a result may be a false positive, which is more likely to happen with legacy tokens. + ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)" diff --git a/src/secret-scanning/data/public-docs-schema.js b/src/secret-scanning/data/public-docs-schema.js index a1c7a14a49..f5f92ff720 100644 --- a/src/secret-scanning/data/public-docs-schema.js +++ b/src/secret-scanning/data/public-docs-schema.js @@ -69,7 +69,7 @@ export default { }, isduplicate: { description: - 'whether the token has more than one version, meaning there are more than one token descriptions with the same token key', + 'whether the token has more than one version, meaning there is more than one token description with the same token key', type: ['boolean'], }, }, diff --git a/src/secret-scanning/middleware/secret-scanning.ts b/src/secret-scanning/middleware/secret-scanning.ts index d98f1eacb3..95eef0f485 100644 --- a/src/secret-scanning/middleware/secret-scanning.ts +++ b/src/secret-scanning/middleware/secret-scanning.ts @@ -41,6 +41,9 @@ export default async function secretScanning( entry[key] = evaluated as string } } + if (entry.isduplicate) { + entry.secretType += '
Token versions' + } }) return next()