Comment by lorenzleutgeb
3 months ago
> I keep thinking about people putting secrets up in github.
You gave me an idea. For Radicle, we implemented a `git-remote-helper` (Git recognizes `rad://`-URIs and then wakes up the helper to handle the rest). This helper could well look at the blobs being pushed and detect secrets. Then error out and request a retry with `--force` if the user is sure.
To implement something like this, we'd not want to reinvent the wheel, so we'd want to consume some description of patterns that we should look for. And obviously we're not going to ask GitHub or some web server.
So, is there such library? In a format that is simple-ish to implement filtering for but also catches a good amount of secrets?
There's https://github.com/gitleaks/gitleaks
and https://github.com/mongodb/kingfisher
As Radicle is written in Rust, I was hoping for a way to use Kingfisher as a library, but did not find one. So I filed https://github.com/mongodb/kingfisher/issues/189
Of course, it'd always be possible to invoke some binary. But I am still curious about a library.
The simplest way to use kingfisher is global pre-commit hook. Works with any git repo. rad could suggest to install this as a part of privacy hygiene.
Yes, several well established secret scanners exist. Integrating one into radicle as a first class citizen is an awesome idea.