From 066e2e453dc9aaf735b1f7c5d1143146cb4fea3e Mon Sep 17 00:00:00 2001 From: marz Date: Tue, 23 Jan 2024 05:28:41 -0500 Subject: [PATCH] Update secret-scanning-partner-program example payload (#48727) Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> --- .../secret-scanning-partner-program.md | 30 +++++-------------- 1 file changed, 8 insertions(+), 22 deletions(-) diff --git a/content/code-security/secret-scanning/secret-scanning-partner-program.md b/content/code-security/secret-scanning/secret-scanning-partner-program.md index 8bf5935b89..6fe877465b 100644 --- a/content/code-security/secret-scanning/secret-scanning-partner-program.md +++ b/content/code-security/secret-scanning/secret-scanning-partner-program.md @@ -103,12 +103,12 @@ to validate the messages you receive are genuinely from {% data variables.produc The two HTTP headers to look for are: -- `GITHUB-PUBLIC-KEY-IDENTIFIER`: Which `key_identifier` to use from our API -- `GITHUB-PUBLIC-KEY-SIGNATURE`: Signature of the payload +- `Github-Public-Key-Identifier`: Which `key_identifier` to use from our API +- `Github-Public-Key-Signature`: Signature of the payload You can retrieve the {% data variables.product.prodname_dotcom %} secret scanning public key from https://api.github.com/meta/public_keys/secret_scanning and validate the message using the `ECDSA-NIST-P256V1-SHA256` algorithm. The endpoint will provide several `key_identifier` and public keys. You can determine which public -key to use based on the value of `GITHUB-PUBLIC-KEY-IDENTIFIER`. +key to use based on the value of `Github-Public-Key-Identifier`. {% note %} @@ -128,28 +128,14 @@ key to use based on the value of `GITHUB-PUBLIC-KEY-IDENTIFIER`. POST / HTTP/2 Host: HOST Accept: */* -content-type: application/json -GITHUB-PUBLIC-KEY-IDENTIFIER: f9525bf080f75b3506ca1ead061add62b8633a346606dc5fe544e29231c6ee0d -GITHUB-PUBLIC-KEY-SIGNATURE: MEUCIFLZzeK++IhS+y276SRk2Pe5LfDrfvTXu6iwKKcFGCrvAiEAhHN2kDOhy2I6eGkOFmxNkOJ+L2y8oQ9A2T9GGJo6WJY= -Content-Length: 83 +Content-Length: 104 +Content-Type: application/json +Github-Public-Key-Identifier: bcb53661c06b4728e59d897fb6165d5c9cda0fd9cdf9d09ead458168deb7518c +Github-Public-Key-Signature: MEQCIQDaMKqrGnE27S0kgMrEK0eYBmyG0LeZismAEz/BgZyt7AIfXt9fErtRS4XaeSt/AO1RtBY66YcAdjxji410VQV4xg== -[{"token":"some_token","type":"some_type","url":"some_url","source":"some_source"}] +[{"source":"commit","token":"some_token","type":"some_type","url":"https://example.com/base-repo-url/"}] ``` -{% note %} - -**Note**: The key id and signature from the example payload is derived from a test key. -The public key for them is: - -```shell ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsz9ugWDj5jK5ELBK42ynytbo38gP -HzZFI03Exwz8Lh/tCfL3YxwMdLjB+bMznsanlhK0RwcGP3IDb34kQDIo3Q== ------END PUBLIC KEY----- -``` - -{% endnote %} - The following code snippets demonstrate how you could perform signature validation. The code examples assume you've set an environment variable called `GITHUB_PRODUCTION_TOKEN` with a generated [{% data variables.product.pat_generic %}](https://github.com/settings/tokens) to avoid hitting rate limits. The {% data variables.product.pat_generic %} does not need any scopes/permissions.