CMF
RDK Releases
Documentation
CMF Videos
Support
Support for CMF is provided by the RDK Support group.
To contact RDK Support:
Enter a ticket: https://jira.rdkcentral.com/
or
E-mail: support@rdkcentral.com
Page History
...
Secret scanning proactively detects and alerts on secrets committed to repositories. It includes push protection, which blocks commits containing specific secrets before they reach the repository.
Enablement Process at the Organization Level (Currently enabled for public repos)
- Prerequisites
- GitHub Advanced Security must be enabled for the organization.
- Steps
- Navigate to the Organization > Settings.
- Go
...
- to Advanced Security >
...
- Secret scanning alerts: Detects secrets already committed.
- Push protection: Prevents new specific secret types from being committed.
- Security Configuration > Created New security configuration with below enforcement.
- Repository-Level Enforcement
- Organization admins can enforce secret scanning via security configurations.
Benefits
- Proactive Protection: Prevents secrets from being pushed to GitHub.
- Automated Alerts: Notifies developers and admins of exposed secrets.
- Compliance Support: Helps meet internal and external security standards.
- Developer-Friendly: Offers bypass options for valid use cases (e.g., test keys).
Remediation
Team members with maintainers role do not have access to view secrets in security tab at repo level. Only admin and security manager role has access to view/remediate secret alerts. For the team members to remediate the alerts, we are publishing the secret scan results in an excel sheet attached in below confluence link.
https://etwiki.sys.comcast.net/pages/viewpage.action?pageId=1798265160
Before Enabling Secret Protection:
After Enabling Secret Protection:
Excluding folders and files from secret scanning
...
Feature | Description |
Validity checks | Automatically verify if a secret is valid by sending it to the relevant partner. |
Non-provider patterns | Scan for non-provider patterns. Learn more about non-provider patterns. |
Scan for generic passwords | Copilot Secret Scanning detects passwords using AI. Learn more about generic password detection. |
Push protection | Block commits that contain supported secrets. |
Copilot Secret Scanning:
Below is an example of a commit detected by secret scan. GH would alert the user through email.https://github.com/KaizenDevopsTraining/devops/commit/9032b48f5ce98c8b9a7458ec2149ea68f934b08c
Secret scanning alerts:
Example:
Default alerts list
...
Push Protection: Block commits that contain supported secrets.
Service providers update the patterns used to generate tokens periodically and may support more than one version of a token. Push protection only supports the most recent token versions that secret scanning can identify with confidence. This avoids push protection blocking commits unnecessarily when a result may be a false positive, which is more likely to happen with legacy tokens.
In above screenshots, user is provided with a github link to browse as shown below
Select a suitable option above to bypass push protection.
When you allow a secret to be pushed, an alert is created in the Security tab. GitHub closes the alert and doesn't send a notification if you specify that the secret is a false positive or used only in tests. If you specify that the secret is real and that you will fix it later, GitHub keeps the security alert open and sends notifications to the author of the commit, as well as to repository administrators. For more information, see Managing alerts from secret scanning.
About secret scanning - GitHub Docs
...
This table shows the behavior of alerts for each way a user can bypass a push protection block.
Bypass reason | Alert behavior |
It's used in tests | GitHub creates a closed alert, resolved as "used in tests" |
It's a false positive | GitHub creates a closed alert, resolved as "false positive" |
I'll fix it later | GitHub creates an open alert |
If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see About delegated bypass for push protection.
...
Steps to Handle Secrets Listed in the Security Tab by Developers:
...
- Go to Repo → Security → Secret scanning.
- Click on each alert to see:
- The file and line where the secret was found.
- The type of secret (e.g., GitHub token, AWS key).
- Whether it’s still active or revoked.
https://github.com/rdkcentral/sample-gitflow/security/secret-scanning/21
While closing the alert, select appropriate action, add relevant comment and close the alert as shown below
More helpful articles listed below
...
Overview
Community Forums
Content Tools
Tasks