GitSecure: Detect exposed API keys on GitHub commits
GitSecure is a GitHub action that can be used to alert security teams of any exposed API keys for push and pull requests. When files are added or modified on a GitHub repo, this action will be initiated and will start looking for exposed credentials in the system. After finding a token, it will alert the team via Slack Webhooks.
Setup of DataSecure is easy and requires not much of a hassle.
- Create a Slack Webhook
You can create a Slack Webhook by going to https://api.slack.com and making an app. When creating the app, select it to be an incoming webhook, and install the webhook to the channel where you want to receive the alerts.
After installing the webhook, copy the URL that Slack provides. You only need to copy the content after https://hooks.slack.com/services/.
- Setup Secrets
GitHub action use secrets to prevent disclosure of sensitive information. Go to your repository settings and click on Secrets. There create a secret and for the value paste the webhook portion copied above.
- Setting up action
To set up the action, next to Pull Requests click on Actions. In the setup click Setup a Workflow Yourself. Paste the following yaml description:
Change the slack_webhook to the name of the secret, you created in your settings.