🤫 Don't leak your secrets

Semgrep has introduced a new ruleset specifically designed for detecting secrets in source code, including passwords, API keys, and other sensitive information like webhook URLs and Slack tokens. This ruleset, which comprises 38 detection rules, can be applied across various file formats, thanks to Semgrep's support for JSON, alpha YAML, and an experimental generic matching mode. Users can customize these rules to fit specific organizational needs, and the tool offers options for composition and filtering to minimize false positives. To manage the potentially high volume of alerts from secret detection, Semgrep recommends using an audit mode that logs findings without blocking builds, providing visibility through the Semgrep App’s dashboard and notifications. The platform also encourages iterative refinement of rules to focus on relevant findings and highlights the availability of other secret scanning tools like truffleHog, git-secrets, and shhgit as complementary resources.