[Feature suggestion] 'Search secrets'
Closed this issue · 4 comments
Motivation
People are sometimes cautious about whether they can share their binlogs (rightfully)! They can reduct some secrets today (the set of patterns ideally to be expanded as part of this), but they cannot simply check if there is something to be worried about.
I'd want to add something for just searching secrets - but want to first drag it through discussion before spending time on it.
UX Proposal
Just a very rough idea :-) I want to collect feedback on what to avoid and what to try when trying to play with possible ux implementations.
- It is part of the searching tabs
- The things to be searched are part of the leftmost pane - one can choose what should be searched and hits for chosen section are displayed as part of that section
- The things to search and hits are hierarchical and collapsible
- The found hit are clickable and points to the Log, File content or File List (if hit is in the name of the file)
Possible future iterations
- The find pane has buttons similar to File -> Redact Secrets, so that the chosen results can be scraped
- Categories selection and expansion is stored in settings
- Ability to specify custom literals and custom patterns
- Ability to search based on high entropy (@KirillOsenkov already has some prototype for this)
- Ability to import custom patterns/literals from file and store them in settings (e.g. 'MySecretProduct' would be always part of the secrets search menu for me if I configure it once)
My only concern is adding yet another tab, otherwise it looks good! I think there should be a menu File -> Secrets or something, and it would then populate the search pane with what you're suggesting above. Or maybe a dialog.
My question is are there scenarios where we don't want everything enabled?
@nguerrera FYI if you haven't met @JanKrivanek he's on the MSBuild team and also passionate about redacting secrets among many other things.
or for starters we could keep it simple and add search keywords such as $secret $token $aws and whatnot. It would work well as an ISearchExtension, like $nuget for example:
I like the ideas to simplify this - especially with search term.
Though - I'm thinking how to capture searching (or rather displaying of those) within files and filenames as well - even though it might be little less of a concern - it'd be good to cover those as well. File menu/dialog would do, the search terms I'm not sure.
As for ability to not use some - it's mainly about perf an false positives. That being said for 'highly identifiable' patterns - we probably almost allways want all. For heuristics - it might depend.
perhaps split the results into high confidence and low confidence
all the results should appear in the results tree like all other results, including files and file names