[secret scanning] handling of user exposing their own secrets in comments #129874
Unanswered
MichaIng
asked this question in
Code Security
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Select Topic Area
Product Feedback
Body
We recently enabled secret scanning alerts for one of our repo, and it did find a case where an external user accidentally exposed his Telegram token by pasting some raw output from his console.
I find this incredibly helpful, as I could edit the comment to mask this sensitive info, however, I would love to be able to inform this user about it. But he does not have a public email, and I do not want to make others aware of it by pinning him publicly in the related issue. Even when not everyone can see the comment edit history, I hesitate to make even just other repository/orga members aware if it, unnecessarily.
While it is not an exposure in our code or of our secrets, a bot of course cannot know this for sure, and I do find it valuable as well when it is about our users or anyone, exposing any secret on out repository. But the following would be helpful to take more benefit from it:
Beta Was this translation helpful? Give feedback.
All reactions