GitHub secret scanner detects 'google-custom-search-api-key' => 'AIzaSyDpE01VDNNT73s6CEeJRdSg5jukoG244ek' as a problem secret

[rfay]

Describe the bug

GitHub's secret scanner detects this as a secret:

public function fetch($search = null, $options = ['image-viewer' => 'open', 'google-custom-search-api-key' => 'AIzaSyDpE01VDNNT73s6CEeJRdSg5jukoG244ek']
 

drush/examples/Commands/XkcdCommands.php

Line 25 in 6a3f0cf

#[CLI\Option(name: 'google-custom-search-api-key', description: 'Google Custom Search API Key, available from https://code.google.com/apis/console/. Default key limited to 100 queries/day globally.')]

It's probably private, but the scan alert is in

• https://github.com/rfay/d11/security/secret-scanning/1

[weitzman]

That's ok. That code is not actually secret. If these alerts bother folks I suggest only scanning your customer code and not scanning dependencies.

[rfay]

This isn't a manual scan, it's an automatic GitHub check on checkin of code. And yes, I check in vendor because I'm lazy.

I'm surprised they haven't been pestering you over and over.

[weitzman]

Is there a code comment which will disable scanning for this file or line?

[rfay]

I guess this is something we have enabled, and it's a good idea

• https://docs.github.com/en/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository

IMO just changing the content of the key to your-key-here might prevent the notification.

It's a great feature. I don't see a way to disable it for one line.