Skip to content

Add API endpoint to receive alerts of exposed API tokens from GitHub #5495

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 13, 2022
Merged

Add API endpoint to receive alerts of exposed API tokens from GitHub #5495

merged 1 commit into from
Dec 13, 2022

Conversation

dangardner
Copy link
Contributor

Adds a new POST endpoint at /tokens/alert/github to receive alerts from GitHub when crates.io API tokens are exposed.

Requires adding a dependency on ring for ECDSA signature validation.

Intended to resolve #3400.

@dangardner dangardner marked this pull request as ready for review November 18, 2022 19:48
@dangardner dangardner marked this pull request as draft November 18, 2022 20:12
@Turbo87 Turbo87 force-pushed the gh-secret-alerts branch 2 times, most recently from ef20a89 to 2c285a7 Compare November 20, 2022 10:48
Turbo87
Turbo87 reviewed Nov 20, 2022
View reviewed changes
Copy link
Member

@Turbo87 Turbo87 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left a few minor comments, but this looks pretty good already. nice work!

btw I rebased and squashed the commits :)

@Turbo87 Turbo87 added C-enhancement ✨ Category: Adding new behavior or a change to the way an existing feature works A-backend ⚙️ labels Nov 20, 2022
@dangardner
Copy link
Contributor Author

Thanks for the feedback, I'll be working on that.

@bors
Copy link
Contributor

bors commented Nov 25, 2022

☔ The latest upstream changes (presumably #5535) made this pull request unmergeable. Please resolve the merge conflicts.

@dangardner dangardner marked this pull request as ready for review December 7, 2022 01:23
@Turbo87
Copy link
Member

Turbo87 commented Dec 13, 2022

rebased once more due to base64 breaking changes and merge conflicts in use statements :)

Turbo87
Turbo87 approved these changes Dec 13, 2022
View reviewed changes
Copy link
Member

@Turbo87 Turbo87 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

there are a few little improvements left, but those can be done in a follow-up PR :)

@Turbo87 Turbo87 merged commit 2a620db into rust-lang:master Dec 13, 2022
@Turbo87 Turbo87 mentioned this pull request Dec 13, 2022
Merged
@aashah
Copy link

aashah commented Dec 13, 2022

👋 I'm on the Secret Scanning team too. Just tested out the endpoint with some real API tokens, and things look good from our side! I received the email from crates.io as well!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@greysteil greysteil greysteil left review comments

@jamisonhyatt jamisonhyatt jamisonhyatt left review comments

@Turbo87 Turbo87 Turbo87 approved these changes

Assignees
No one assigned
Labels
A-backend ⚙️ C-enhancement ✨ Category: Adding new behavior or a change to the way an existing feature works
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Automatically respond to crates.io API token leaks on GitHub (via GitHub secret scanning)
6 participants
@dangardner @bors @Turbo87 @aashah @greysteil @jamisonhyatt