Developers often tends to embed the sensitive information like apikeys,passwords and push it to the code-base When the attacker able to get access to the sensitive information they can use these credentials and abuse the application
To prevent the secret pushed into the code base we are going to use the tool called truffleHog which scans the repository for sensitive information like passwords,API keys
Note The above technique I am using is only to able to scan for the secrets in the source-control after it is pushed Ideally you should have precommit hooks inorder to prevent the code being commit
TruffleHog is the python based tool used to scan the repositories the sensitive information
name: secret-scanning on: push: jobs: checkout-repo: runs-on: ubuntu-latest steps: - name: Checkout 🛎️ uses: actions/checkout@v2 - name : Installing secret-scanning tool run : | pip3 install truffleHog truffleHog --regex --entropy=False .