jprdonnelly/docs
1
0
Fork 0
mirror of synced 2026-01-25 09:03:25 -05:00
Code Issues Projects Releases Wiki Activity

Merge pull request #31227 from github/repo-sync

Browse Source 
Repo sync
This commit is contained in:
docs-bot
2024-01-23 02:57:12 -08:00
committed by GitHub
parent 8c6e33f5c3 066e2e453d
commit b5da07746d
1 changed files with 8 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
content/code-security/secret-scanning/secret-scanning-partner-program.md
View File

@@ -103,12 +103,12 @@ to validate the messages you receive are genuinely from {% data variables.produc
The two HTTP headers to look for are:
- `GITHUB-PUBLIC-KEY-IDENTIFIER`: Which `key_identifier` to use from our API
- `GITHUB-PUBLIC-KEY-SIGNATURE`: Signature of the payload
- `Github-Public-Key-Identifier`: Which `key_identifier` to use from our API
- `Github-Public-Key-Signature`: Signature of the payload
You can retrieve the {% data variables.product.prodname_dotcom %} secret scanning public key from https://api.github.com/meta/public_keys/secret_scanning and validate the message using the `ECDSA-NIST-P256V1-SHA256` algorithm. The endpoint
will provide several `key_identifier` and public keys. You can determine which public
key to use based on the value of `GITHUB-PUBLIC-KEY-IDENTIFIER`.
key to use based on the value of `Github-Public-Key-Identifier`.
{% note %}
@@ -128,28 +128,14 @@ key to use based on the value of `GITHUB-PUBLIC-KEY-IDENTIFIER`.
POST / HTTP/2
Host: HOST
Accept: */*
content-type: application/json
GITHUB-PUBLIC-KEY-IDENTIFIER: f9525bf080f75b3506ca1ead061add62b8633a346606dc5fe544e29231c6ee0d
GITHUB-PUBLIC-KEY-SIGNATURE: MEUCIFLZzeK++IhS+y276SRk2Pe5LfDrfvTXu6iwKKcFGCrvAiEAhHN2kDOhy2I6eGkOFmxNkOJ+L2y8oQ9A2T9GGJo6WJY=
Content-Length: 83
Content-Length: 104
Content-Type: application/json
Github-Public-Key-Identifier: bcb53661c06b4728e59d897fb6165d5c9cda0fd9cdf9d09ead458168deb7518c
Github-Public-Key-Signature: MEQCIQDaMKqrGnE27S0kgMrEK0eYBmyG0LeZismAEz/BgZyt7AIfXt9fErtRS4XaeSt/AO1RtBY66YcAdjxji410VQV4xg==
[{"token":"some_token","type":"some_type","url":"some_url","source":"some_source"}]
[{"source":"commit","token":"some_token","type":"some_type","url":"https://example.com/base-repo-url/"}]
```
{% note %}
**Note**: The key id and signature from the example payload is derived from a test key.
The public key for them is:
```shell
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsz9ugWDj5jK5ELBK42ynytbo38gP
HzZFI03Exwz8Lh/tCfL3YxwMdLjB+bMznsanlhK0RwcGP3IDb34kQDIo3Q==
-----END PUBLIC KEY-----
```
{% endnote %}
The following code snippets demonstrate how you could perform signature validation.
The code examples assume you've set an environment variable called `GITHUB_PRODUCTION_TOKEN` with a generated [{% data variables.product.pat_generic %}](https://github.com/settings/tokens) to avoid hitting rate limits. The {% data variables.product.pat_generic %} does not need any scopes/permissions.