sbp commented on issue #233: URL: https://github.com/apache/tooling-trusted-releases/issues/233#issuecomment-4407972020
> Submit the noisy secret prefix/pattern to GitHub so their scanner can detect leaked ATR PATs in public repositories. This requires filing a request with GitHub's secret scanning team with the regex pattern matching the noisy secret format. Yes, but in ATR and in Tooling more generally we're currently using `tooling.apache.org`, so the prefix for us would be `secret_m_org_apache_tooling_`. This would not, however, be true of other teams. Instead of contacting all upstream scanners whenever another team is added, perhaps we could just register `secret_[df-kmnp-z]_org_apache_`. This would allow us to use any namespace with `apache.org` or a subdomain thereof up to the Noisy Secret length limit. Note that `e` isn't a valid length because that would be an encoded domain of length 11, whereas `apache.org` is length 10 and `a.apache.org` is length 12. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
