Research: Github Code Scanning
baruchiro opened this issue · comments
Baruch Odem (Rothkoff) commented
This research should consider the entire flow of Github Code Scanning.
- When are we identifying the secret in the first place? In a PR?
- How does a finding in a PR become to be a Code Scanning issue (in the
Security
tab)? - How to dismiss a finding? What if the user deleted it in a commit, but didn't remove it from the history? Is it will still be considered a Code Scanning issue?
Originally posted by @jossef in #128 (comment)
Check the possibility of uploading a report to mark the secret on the code, like in Kics.
See why gitleaks not using Github Code Scanning.
But we can do annotations like in Kics.
Originally posted by @baruchiro in #39 (comment)