Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If vendors agreed to a common prefix on all secret key values then it'd be easy for everyone to add checks, to everything. Something like "_SECRET88_".

Of course, then your secret key checker would need to build that string by concatenating so that it wouldn't set off itself.



More and more providers have been adding unique prefixes to their tokens and access keys which makes detection much easier. Ex, GitLab adds `glpat-` to their PAT.

A project I maintain, Gitleaks, can easily detect "unique" secrets and does a pretty good job at detecting "generic" secrets too. In this case, the generic gitleaks rule would have caught the secrets [1]. You can see the full rule definition here [2] and how the rule is constructed here [3].

[1] https://regex101.com/r/CLg9TK/1

[2] https://github.com/zricethezav/gitleaks/blob/master/config/g...

[3] https://github.com/zricethezav/gitleaks/blob/master/cmd/gene...


RFC 8959 registered the 'secret-token:' prefix / URI scheme.

https://www.rfc-editor.org/rfc/rfc8959.html


How about scanning for any string with high entropy? Might be easier to get buy-in if we don’t all have to bike-shed over what the prefix is.


That’s helpful but the token prefixes are also helpful. You might be interested in GitHub’s reasoning at https://github.blog/2021-04-05-behind-githubs-new-authentica...




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: