Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Automated Scanning of Pull Requests for API Keys
As part of the ongoing effort to secure TuneIn's GitHub repos to prevent another occurrence similar to what happened with CodeCov, we will be implementing a scan that runs on PRs opened to the primary branch of each repo. The code for the PR will be checked out and the cli tool
gitleaks
will be run against it. If there are findings, the failed check will show on the "Conversation" tab of the PR. In order for all checks against an open PR to succeed, the PR must not contain sensitive keys.What do I do if my PR check fails?
If you have mistakenly checked in a secret to git as part of your PR, you should remove it promptly.
The force push is essential to ensure that the secret is not only removed from the most recent commit but from the history as well. After performing this sequence of steps, the automated scan on your PR will pass.
Help! The scan says I have checked in secrets but it's a false positive.
Every repo's scanning rules are customizable. Refer to the Custom Rules section below for en explanation of the syntax to add the path containing a false positive to the
allowlist
. Exercise caution when findings are added to theallowlist
to ensure that the findings are not genuine. Entries in theallowlist
will not appear on subsequent scans.What about tokens that my team regularly works with that are not picked up by the default scan rules?
You can add custom rules to your config that meet the needs of your team. Rules are picked up by scanning files with a list of regular expressions. Write a regex for the types of tokens that your app interacts with and add it to your custom config file.
Custom Rules
Custom rules for your repo should live in the file
.github/gitleaks.toml
. See examples below for some available customizations or, refer to the documentation forgitleaks
for more complete examples.Adding a path to the
allowlist
Adding a custom rule
Alternatives to Secrets in Git
If your team is already using a strategy to prevent checking secrets into source control, continue to utilize that going forward. If you are in search of a solution, the strategies below are being utilized in teams at TuneIn already. Reach out to #devops if you need assistance with getting one of these solutions in place.