How to define custom patterns for secret scanning

[carmal891]

The official Github secret scanning documentation mentions defining custom patterns for secret scanning :

https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning

Can we enable the same feature using the secret-scanning-review-action ?

[felickz]

My sample from the ReadMe is actually using a custom pattern

RSA Private Key :)

Once you dry run, publish the pattern and it will be available here! It would be best to further enable the pattern for push protection so it should only show up in the secret-scanning-review-action when it is bypassed!

[carmal891]

Thank you for the prompt response. However my question was whether it is possible to keep the pattern as code rather than utulize the repo UI console. For example like a .patterns file and then pass it to the action attributes

Secret-Scanning-Job:
     needs: initial-setup-job
     runs-on: ubuntu-latest
     steps:     
     - name: Secret Scanning Review Action
       uses: advanced-security/secret-scanning-review-action@v0
       with:
         token: ${{ secrets.SECRET_SCAN_REVIEW_GITHUB_TOKEN }}
         fail-on-alert: true
         fail-on-alert-exclude-closed: false
         patterns-path: .patterns

Is something like this feasible ?

[felickz]

That would be an amazing update to the product to support patterns as code. I would suggest you drop that feedback to the product team in the community forum: https://github.com/orgs/community/discussions/categories/code-security. The only customization as code today is a paths ignore via secret-scanning.yml.

Unfortunately, it would be a bit out of scope for this project as we are just pulling the secret alerts from the back end. The one area this got me thinking is maybe it would help out some to provide some ignore list of secrets. If some alerts are maybe even too noisy to show on PR but might be rolled out via custom pattern.