| CARVIEW |
Select Language
HTTP/2 200
date: Sat, 11 Oct 2025 04:46:54 GMT
content-type: text/html; charset=utf-8
cache-control: max-age=0, private, must-revalidate
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com github.githubassets.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com marketplace-screenshots.githubusercontent.com/ copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
link: ; rel=preload; as=fetch; crossorigin=use-credentials
referrer-policy: no-referrer-when-downgrade
server-timing: issue_layout-fragment;desc="issue_layout fragment";dur=281.773518,issue_conversation_content-fragment;desc="issue_conversation_content fragment";dur=782.641288,nginx;desc="NGINX";dur=0.940955,glb;desc="GLB";dur=139.920874
strict-transport-security: max-age=31536000; includeSubdomains; preload
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With, Accept,Accept-Encoding, Accept, X-Requested-With
x-content-type-options: nosniff
x-frame-options: deny
x-voltron-version: aab62e3
x-xss-protection: 0
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=OJJlNR%2BA8RY5imUyO4aau13n9kscxv9ETzYTe7Sn7OIGMAygO1uDVFeoMzFGN5bJG85bKf7epNopAYISgPx2Ftw85M0y2sg0SQ%2FWEyyNArWPYK0st9oqIuPZ481XxD7z219Wh6Kv6wx1%2FuMd0y1tgv4UQrK%2BCbvn%2BV5xRnmmCLopmV7XrFJBx26fSaN1km4xjOgGp7qtRJ5IrLEv7EfzrH0wCM4Vpz%2FpbDpkO3GZczZ9FZAQY9zQQkyVkcmsRgCoue2TEctpUHsayZeXU6ob8A%3D%3D--Cq42suyrnqQT7rwm--nn2tXihzQ9btvSqdRbgvrg%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.692724399.1760158013; Path=/; Domain=github.com; Expires=Sun, 11 Oct 2026 04:46:53 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Sun, 11 Oct 2026 04:46:53 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: E9F8:8CC4A:2D313F:414427:68E9E13D
Secret reporting endpoint · Issue #14961 · pypi/warehouse · GitHub
No one assignedNo projectsNo milestoneNone yetNo branches or pull requests
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Closed
Labels
APIs/feedsfeature requestsecuritySecurity-related issues and pull requestsSecurity-related issues and pull requests
Description
What's the problem this feature will solve?
As part of our ongoing collaboration to find exposed secrets in PyPI packages, we are working on a scanning pipeline that automatically scans newly released packages. In order to report our findings, we will need an endpoint we can call, with an agreed-upon schema.
Describe the solution you'd like
Schema
Ideally, the endpoint’s payload would be on a per artifact basis, allowing us to include metadata about the artifact alongside the list of secrets that were found. Here is a possible schema for the payload.
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "Artifact scanning report",
"description": "The detail of all the findings for a given artifact",
"type": "object",
"required": [
"release",
"scan_info",
"scan_results"
],
"properties": {
"release": {
"type": "object",
"required": [
"title",
"package_name",
"version"
],
"properties": {
"title": {
"type": "string",
"examples": [
"ggshield 1.0.2"
]
},
"package_name": {
"type": "string",
"examples": [
"ggshield"
]
},
"version": {
"type": "string",
"examples": [
"1.0.2"
]
}
}
},
"scan_info": {
"type": "object",
"required": [
"scanner_version",
"scanned_at"
],
"properties": {
"scanner_version": {
"type": "string",
"examples": [
"2.99.0"
]
},
"scanned_at": {
"type": "date-time",
"examples": [
"2023-11-16T17:10:25Z"
]
}
}
},
"scan_results": {
"type": "array",
"items": {
"type": "object",
"required": [
"artifact",
"secrets"
],
"properties": {
"artifact": {
"type": "object",
"required": [
"name",
"sha256_digest"
],
"properties": {
"name": {
"type": "string",
"examples": [
"ggshield-1.0.2.zip"
]
},
"sha256_digest": {
"type": "string",
"examples": [
"13550350a8681c84c861aac2e5b440161c2b33a3e4f302ac680ca5b686de48de"
]
}
}
},
"secrets": {
"type": "array",
"items": {
"type": "object",
"required": [
"detector_name",
"detector_display_name",
"company_name",
"filepath",
"matches",
"validity_status"
],
"properties": {
"detector_name": {
"type": "string",
"examples": [
"google_aiza"
]
},
"detector_display_name": {
"type": "string",
"examples": [
"Google API Key"
]
},
"company_name": {
"type": "string",
"examples": [
"Google"
]
},
"documentation_url": {
"type": "uri",
"examples": [
"https://docs.gg.com/google_aiza"
]
},
"filepath": {
"type": "string",
"examples": [
"/ggshield/connect/google.py"
]
},
"matches": {
"type": "array",
"items": {
"type": "object",
"required": [
"match_name",
"index_start",
"index_end"
],
"properties": {
"match_name": {
"type": "string",
"examples": [
"apikey"
]
},
"index_start": {
"type": "integer",
"examples": [
12
]
},
"index_end": {
"type": "integer",
"examples": [
32
]
}
}
}
},
"validity_status": {
"type": "string",
"enum": [
"NO_CHECKER",
"FAILED_TO_CHECK",
"VALID",
"INVALID"
],
"examples": [
"VALID"
]
}
}
}
}
}
}
}
},
"examples": [
{
"release": {
"title": "ggshield 1.0.2",
"package_name": "ggshield",
"version": "1.0.2"
},
"scan_info": {
"scanner_version": "2.99.0",
"scanned_at": "2023-11-16T17:10:25Z"
},
"scan_results": [
{
"artifact": {
"name": "ggshield-1.0.2.zip",
"sha256_digest": "13550350a8681c84c861aac2e5b440161c2b33a3e4f302ac680ca5b686de48de"
},
"secrets": [
{
"detector_name": "google_aiza",
"detector_display_name": "Google API Key",
"company_name": "Google",
"documentation_url": "https://docs.gg.com/google_aiza",
"filepath": "/ggshield/connect/google.py",
"matches": [
{
"match_name": "apikey",
"index_start": 12,
"index_end": 32
}
],
"validity_status": "VALID"
}
]
}
]
}
]
}Response
We do not expect the endpoint to return any data, we just need to be able to distinguish between a successful call and one that fails: standard status codes should be more than enough.
API versioning
We have no strong requirement on this point, and will be fine with whichever solution you choose for the versioning of the schema.
Call volume and rate limiting
Since we are planning to call the endpoint once per artifact in which we find secrets, the worst case would be that we find secrets in every single artifact. In that case, our volume of calls would be directly proportional to the number of releases. We consequently don’t expect our volume of calls to be such as to restricted by rate limiting.
Authentication
This endpoint should not be publicly available. A possible approach would be to use both authentication via a secret (ideally just an API key) and an IP allowlist, to guarantee that only known entities have access to the endpoint.
Remediation
In the case of prolonged downtime of the endpoint, we won’t be able to upload our findings. They will be persisted on our end, and can be re-uploaded at a later point. We do not plan to have a way to automate this: this will be done “manually”, on an ad-hoc fashion.
We would also probably need to have an automated way of revoking / renewing our own API key, to be able to remediate any leak on our end immediately.
pierrelalanne, ZGuardian and masoudahg00sethmlarson, ZGuardian and masoudahg00
Metadata
Metadata
Assignees
Labels
APIs/feedsfeature requestsecuritySecurity-related issues and pull requestsSecurity-related issues and pull requests
Projects
Milestone
Relationships
Development
Issue actions
You can’t perform that action at this time.