Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Secret validation #191

Open
3 tasks
yrachelevi opened this issue Nov 1, 2023 · 3 comments
Open
3 tasks

Add Secret validation #191

yrachelevi opened this issue Nov 1, 2023 · 3 comments

Comments

@yrachelevi
Copy link

yrachelevi commented Nov 1, 2023

As a user I would like to know if the secret found is valid or not so I would be able to prioritize and remediate accordingly.
Description:
Associate the following data with the secret found:

  1. Verification Status - if the secret could be check as it won't always be possible
  2. Secret validity result (if the secret has found to be valid)

Secrets to add validation to:

  • AWS secrets
  • Azure secrets
  • Google Cloud Platform secrets
@yrachelevi yrachelevi added this to 2ms Nov 1, 2023
@yrachelevi yrachelevi converted this from a draft issue Nov 1, 2023
@baruchiro baruchiro self-assigned this Feb 12, 2024
@baruchiro baruchiro moved this from Todo to In Progress in 2ms Feb 13, 2024
@baruchiro
Copy link
Contributor

Some of the secrets (such as Github) are stand-alone tokens, but some of them can be used only by combination (of Access Token and Secret Token, such as on AWS Console).

I need to think about how to validate those.

baruchiro pushed a commit that referenced this issue Feb 19, 2024
This PR is the first implementation of validity check #191.

I added the flow of validation, controlled by the `--validate` flag, and
added validation for Github token.
@baruchiro
Copy link
Contributor

baruchiro commented Feb 28, 2024

@baruchiro baruchiro moved this from In Progress to Todo in 2ms Feb 29, 2024
@baruchiro baruchiro removed their assignment Feb 29, 2024
@baruchiro
Copy link
Contributor

To validate gcp-api-key, I'm not sure what will be the complete process, but try this:

curl \
  'https://youtube.googleapis.com/youtube/v3/search?part=snippet&key=YOUR_GCP_KEY' \
  --header 'Accept: application/json' \
  --compressed

It may return a message like: YouTube Data API v3 has not been used in project 123456 before or it is disabled which means this key is related to a project.

baruchiro pushed a commit that referenced this issue Mar 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Todo
Development

No branches or pull requests

2 participants