Skip to content

repo sync #21247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Oct 10, 2022
Merged

repo sync #21247

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
27b28af
Clarify how example payload signatures were derived (#31462)
aashah Oct 10, 2022
0d6e19d
Guide pages have no data-search="article-body" (#31433)
Oct 10, 2022
1d8b98d
Merge branch 'main' into repo-sync
Octomerger Oct 10, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 21 additions & 19 deletions components/guides/ProductGuides.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,26 +17,28 @@ export const ProductGuides = () => {
<GuidesHero />
</LandingSection>

{learningTracks && learningTracks.length > 0 && (
<LandingSection
title={`${title} learning paths`}
className="border-top py-6"
sectionLink="learning-paths"
description={t('learning_paths_desc')}
>
<LearningTracks />
</LandingSection>
)}
<div data-search="article-body">
{learningTracks && learningTracks.length > 0 && (
<LandingSection
title={`${title} learning paths`}
className="border-top py-6"
sectionLink="learning-paths"
description={t('learning_paths_desc')}
>
<LearningTracks />
</LandingSection>
)}

{includeGuides && (
<LandingSection
title={`All ${title} guides`}
className="border-top py-6 color-border-default"
sectionLink="all-guides"
>
<ArticleCards />
</LandingSection>
)}
{includeGuides && (
<LandingSection
title={`All ${title} guides`}
className="border-top py-6 color-border-default"
sectionLink="all-guides"
>
<ArticleCards />
</LandingSection>
)}
</div>
</DefaultLayout>
)
}
60 changes: 41 additions & 19 deletions content/developers/overview/secret-scanning-partner-program.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,26 +59,25 @@ Send this information to <a href="mailto:secret-scanning@github.com">secret-scan

Create a public, internet accessible HTTP endpoint at the URL you provided to us. When a match of your regular expression is found in a public repository, {% data variables.product.prodname_dotcom %} will send an HTTP `POST` message to your endpoint.

#### Example POST sent to your endpoint
#### Example request body

```http
POST / HTTP/2
Host: HOST
Accept: */*
Content-Type: application/json
GITHUB-PUBLIC-KEY-IDENTIFIER: f9525bf080f75b3506ca1ead061add62b8633a346606dc5fe544e29231c6ee0d
GITHUB-PUBLIC-KEY-SIGNATURE: MEUCIQDfLvT8/zM8F1aB3cM0ZwyeWF1m5YR6IhcUIv1OKQYL0wIgBZ5lVXB3gHK+dT8+xt0WgRVLqvsTPFiDO9QP/7eJ4yE=
Content-Length: 187

[{"token":"NMIfyYncKcRALEXAMPLE","type":"mycompany_api_token","url":"https://github.com/octocat/Hello-World/blob/12345600b9cbe38a219f39a9941c9319b600c002/foo/bar.txt","source":"content"}]
```json
[
{
"token":"NMIfyYncKcRALEXAMPLE",
"type":"mycompany_api_token",
"url":"https://github.com/octocat/Hello-World/blob/12345600b9cbe38a219f39a9941c9319b600c002/foo/bar.txt",
"source":"content"
}
]
```

The message body is a JSON array that contains one or more objects with the following contents. When multiple matches are found, {% data variables.product.prodname_dotcom %} may send a single message with more than one secret match. Your endpoint should be able to handle requests with a large number of matches without timing out.
The message body is a JSON array that contains one or more objects, with each object representing a single secret match. Your endpoint should be able to handle requests with a large number of matches without timing out. The keys for each secret match are:

* **token**: The value of the secret match.
* **type**: The unique name you provided to identify your regular expression.
* **url**: The public URL where the match was found (may be empty)
* **source**: Where the token was found on GitHub.
* **source**: Where the token was found on {% data variables.product.prodname_dotcom %}.

The list of valid values for `source` are:

Expand All @@ -97,26 +96,32 @@ The list of valid values for `source` are:

### Implement signature verification in your secret alert service

We strongly recommend you implement signature validation in your secret alert service to ensure that the messages you receive are genuinely from {% data variables.product.prodname_dotcom %} and not malicious.
The HTTP request to your service will also contain headers that we strongly recommend using
to validate the messages you receive are genuinely from {% data variables.product.prodname_dotcom %}, and are not malicious.

The two HTTP headers to look for are:

* `GITHUB-PUBLIC-KEY-IDENTIFIER`: Which `key_identifier` to use from our API
* `GITHUB-PUBLIC-KEY-SIGNATURE`: Signature of the payload

You can retrieve the {% data variables.product.prodname_dotcom %} secret scanning public key from https://api.github.com/meta/public_keys/secret_scanning and validate the message using the `ECDSA-NIST-P256V1-SHA256` algorithm.
You can retrieve the {% data variables.product.prodname_dotcom %} secret scanning public key from https://api.github.com/meta/public_keys/secret_scanning and validate the message using the `ECDSA-NIST-P256V1-SHA256` algorithm. The endpoint
will provide several `key_identifier` and public keys. You can determine which public
key to use based on the value of `GITHUB-PUBLIC-KEY-IDENTIFIER`.

{% note %}

**Note**: When you send a request to the public key endpoint above, you may hit rate limits. To avoid hitting rate limits, you can use a personal access token (no scopes required) as suggested in the samples below, or use a conditional request. For more information, see "[Getting started with the REST API](/rest/guides/getting-started-with-the-rest-api#conditional-requests)."

{% endnote %}

Assuming you receive the following message, the code snippets below demonstrate how you could perform signature validation.
The code snippets assume you've set an environment variable called `GITHUB_PRODUCTION_TOKEN` with a generated PAT (https://github.com/settings/tokens) to avoid hitting rate limits. The PAT does not need any scopes/permissions.

{% note %}

**Note**: The signature was generated using the raw message body. So it's important you also use the raw message body for signature validation, instead of parsing and stringifying the JSON, to avoid rearranging the message or changing spacing.

{% endnote %}

**Sample message sent to verify endpoint**
**Sample HTTP POST sent to verify endpoint**

```http
POST / HTTP/2
Host: HOST
Expand All @@ -129,6 +134,23 @@ Content-Length: 83
[{"token":"some_token","type":"some_type","url":"some_url","source":"some_source"}]
```

{% note %}

**Note**: The key id and signature from the example payload is derived from a test key.
The public key for them is:

```
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsz9ugWDj5jK5ELBK42ynytbo38gP
HzZFI03Exwz8Lh/tCfL3YxwMdLjB+bMznsanlhK0RwcGP3IDb34kQDIo3Q==
-----END PUBLIC KEY-----
```

{% endnote %}

The following code snippets demonstrate how you could perform signature validation.
The code examples assume you've set an environment variable called `GITHUB_PRODUCTION_TOKEN` with a generated [personal access token](https://github.com/settings/tokens) (PAT) to avoid hitting rate limits. The PAT does not need any scopes/permissions.

**Validation sample in Go**
```golang
package main
Expand Down