SECRETS SCANNING
Secrets scan runs as part of SCA scan and detects hard-coded secrets like passwords, API keys, and tokens in git repos. The default rules used for secrets scanning can be found here
To override the default secret rules
-
Download the secrets config file locally
-
Add/delete/update rules
-
Set an environment variable called SECRET_RULES=/path/to/rules.toml
To run a full scan of your source code for secrets, include --no-git option to your SCA scan
vsp_defense scan --lang=java --api-key=<YOUR_API_KEY> --path=<path to your project> --project-name="My Java Project" --no-git
--no-git (false, true) - Perform full scan for secrets