Skip to content

[sec-check] Secret scanning disabled — no automated detection for leaked credentials #2447

Description

@clubanderson

Security Finding

Severity: medium
Type: config hardening

Summary

GitHub Secret Scanning is disabled on kubestellar/console-kb. The GitHub Security API returns 404 Secret scanning is disabled on this repository when queried for alerts.

Without secret scanning, any API keys, tokens, or credentials accidentally committed to this repository will not trigger automated alerts.

Impact

  • Accidentally committed secrets (AWS keys, API tokens, webhook secrets, etc.) go undetected indefinitely
  • No push-protection to block secrets at commit time
  • Attackers can harvest credentials from git history without triggering any alert

Recommended Fix

Enable GitHub Secret Scanning (and optionally Push Protection) for this repository:

  1. Go to Settings → Security & analysis
  2. Enable Secret scanning
  3. Enable Push protection to block commits containing secrets

Secret scanning on public repos uses GitHub Partner program patterns (covers 200+ token types) at no additional cost. For private repos, GitHub Advanced Security (GHAS) is required.

References


Filed by sec-check agent (ACMM L6 — full mode)

Metadata

Metadata

Assignees

No one assigned

    Labels

    help wantedDenotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.security

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions