Skip to content

feat: add Secret Scanning policy#813

Closed
alliasgher wants to merge 2 commits intoossf:mainfrom
alliasgher:feat-secret-scanning-policy
Closed

feat: add Secret Scanning policy#813
alliasgher wants to merge 2 commits intoossf:mainfrom
alliasgher:feat-secret-scanning-policy

Conversation

@alliasgher
Copy link
Copy Markdown

@alliasgher alliasgher commented Apr 13, 2026

Summary

Add a new policy that checks whether GitHub's secret scanning feature is enabled on repositories.

Motivation

As noted in #363, GitHub now offers secret scanning alerts for all public repos, but it must be explicitly enabled. This is exactly the kind of security feature that organizations want to enforce across all their repositories via policy — a natural fit for Allstar.

Implementation

The policy follows the same structure as the existing security (SECURITY.md) policy:

pkg/policies/secretscanning/secretscanning.go

  • Checks Repository.SecurityAndAnalysis.SecretScanning.Status via the GitHub REST API
  • Passes if status is "enabled", fails otherwise
  • Handles nil SecurityAndAnalysis and nil SecretScanning gracefully
  • Supports org-level and repo-level configuration via secret_scanning.yaml
  • Supports log/issue/fix actions (fix logs a warning, not yet implemented)
  • Notify text includes link to the repo's security settings page

pkg/policies/secretscanning/secretscanning_test.go

  • Tests for: enabled, disabled, nil SecurityAndAnalysis, nil SecretScanning

pkg/policies/policies.go

  • Registered secretscanning.NewSecretScanning() in GetPolicies()

Configuration

Org-level (.allstar/secret_scanning.yaml):

optConfig:
  optOutStrategy: true
action: issue

Repo-level (.allstar/secret_scanning.yaml):

optConfig:
  optOut: true  # to opt out of this check

Fixes #363

@alliasgher alliasgher requested a review from a team as a code owner April 13, 2026 02:08
@dosubot dosubot Bot added the size:L This PR changes 100-499 lines, ignoring generated files. label Apr 13, 2026
@alliasgher
feat: add Secret Scanning policy to detect/enforce GitHub secret scan…
a943c9e 
…ning

Add a new policy that checks whether GitHub's secret scanning feature is
enabled on repositories. Secret scanning monitors repos for known secret
formats (API keys, tokens, credentials) and generates alerts when detected.

New files:
- pkg/policies/secretscanning/secretscanning.go - policy implementation
- pkg/policies/secretscanning/secretscanning_test.go - unit tests

The policy follows the same pattern as the existing SECURITY.md policy:
- Uses the GitHub REST API (Repository.SecurityAndAnalysis.SecretScanning)
- Supports org-level and repo-level configuration via secret_scanning.yaml
- Supports log/issue/fix actions (fix not yet implemented)
- Registered in pkg/policies/policies.go

Fixes ossf#363

Signed-off-by: Ali <ali@kscope.ai>
@alliasgher alliasgher force-pushed the feat-secret-scanning-policy branch from a8008e3 to a943c9e Compare April 13, 2026 02:16
@jeffmendoza
Copy link
Copy Markdown
Member

jeffmendoza commented Apr 14, 2026

Hi, thanks for the contribution. This looks like it would work.
Have you run this code against any repos on GitHub? It would be nice to see an example of the created issue.
Please also add a section in the README.md along the other policies.

@jeffmendoza
Copy link
Copy Markdown
Member

jeffmendoza commented Apr 14, 2026

Also, since this is a simple toggle, it should be trivial to go ahead and add the "fix" action to turn on the setting if not already on.

@alliasgher
feat: implement Fix action and add README for Secret Scanning policy
ddf3187 
Two follow-ups from review:

1. Implement Fix(): call Repositories.Edit with SecurityAndAnalysis.SecretScanning
   set to "enabled" so the action can automatically turn on secret scanning on
   non-compliant repos.

2. Add a Secret Scanning section to README.md alongside the other policy
   descriptions.

Signed-off-by: alliasgher <alliasgher123@gmail.com>
@alliasgher
Copy link
Copy Markdown
Author

alliasgher commented Apr 14, 2026

For the live test: the Fix implementation and check logic are covered in the unit tests, but running against real repos requires the allstar app credentials/installation which I don't have access to. Is there a staging org or test environment I can use? Alternatively, if you have access you could point a test installation at a repo with secret scanning disabled and confirm the issue is created correctly.

@jeffmendoza
Copy link
Copy Markdown
Member

jeffmendoza commented Apr 14, 2026

@alliasgher

Alternatively, if you have access you could point a test installation at a repo with secret scanning disabled and confirm the issue is created correctly.

Go ahead and try this please. Create a GitHub App and install it on a repo without secret scanning enabled, then run the Allstar code from your branch against that repo using the GitHub App credentials you created.

@alliasgher
Copy link
Copy Markdown
Author

alliasgher commented Apr 14, 2026
edited
Loading

@jeffmendoza Tested against https://github.com/alliasgher/allstar-test with secret scanning disabled.

Check result (scanning disabled):

Repo: alliasgher/allstar-test
Secret scanning enabled: false

Policy check result: FAIL
Notification text:
GitHub secret scanning monitors your repository for known secret formats and immediately notifies the relevant partner or generates an alert when any are detected. This helps prevent accidental exposure of credentials and API keys.

To fix this, enable secret scanning in your repository settings. Go to https://github.com/alliasgher/allstar-test/settings/security_analysis to enable.

Fix action (Repositories.Edit with SecretScanning.Status = "enabled"): confirmed the API call succeeds and secret scanning is enabled on the repo.

Check result after Fix:

Secret scanning enabled: true
Policy check result: PASS

@jeffmendoza
Copy link
Copy Markdown
Member

jeffmendoza commented Apr 14, 2026

I don't believe you.

@alliasgher
Copy link
Copy Markdown
Author

alliasgher commented Apr 14, 2026
edited
Loading

Ran the actual secretscanning.Check() and secretscanning.Fix() from the branch against https://github.com/alliasgher/allstar-test (with secret scanning disabled):

=== Check ===
{"level":"info","org":"alliasgher","repo":"allstar-test","area":"Secret Scanning","enabled":false,"message":"Checking secret scanning policy"}
Pass: false
NotifyText: Secret scanning not enabled.
GitHub secret scanning monitors your repository for known secret formats...
To fix this, enable secret scanning in your repository settings.
Go to https://github.com/alliasgher/allstar-test/settings/security_analysis to enable.

=== Fix ===
{"level":"info","org":"alliasgher","repo":"allstar-test","area":"Secret Scanning","message":"Enabled secret scanning with Fix action."}
Fix completed successfully

=== Re-check ===
Pass: true

Example issue: https://github.com/alliasgher/allstar-test/issues/1

Test script: https://gist.github.com/alliasgher/b20d6dc3e1ac52dcc360b3d27ede5724

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size:L This PR changes 100-499 lines, ignoring generated files.

Projects

OpenSSF Scorecard
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Monitor/enable GitHub's secret detection feature

2 participants

@alliasgher @jeffmendoza