You install their Github app and give them access to your Github repo (private repos are ok too) and they run a Github workflow when each PR is submitted scanning for secrets that should not be in the code. Really happy with how their product works.
If you weren't aware of it... There is a world of static application security tools (SAST) which can help you. Add them to your text editor/ci/cd to use them.
Not open source, but I have used this before, and they have a very generous free tier: https://www.gitguardian.com/monitor-internal-repositories-fo...
You install their Github app and give them access to your Github repo (private repos are ok too) and they run a Github workflow when each PR is submitted scanning for secrets that should not be in the code. Really happy with how their product works.
If you weren't aware of it... There is a world of static application security tools (SAST) which can help you. Add them to your text editor/ci/cd to use them.
https://owasp.org/www-community/Source_Code_Analysis_Tools
TruffleHog: https://trufflesecurity.com/trufflehog
I worked for them a little bit and their product is really impressive and works great.
trufflehog is a good starting point, then bake in your own simple regex into your github actions or equivalent and make it part of your test suite
stupid question, can we not make a regex for searching API keys for particular APIs and do a brute force scan across the internet
There are a number of products and open source tools that do this. Look up "secret scanning".