This is a bit hazy at the moment due to the "when" part really affecting us. The most effective time to run credscan is as a pre-commit hook. However, given that its got more than a few local requirements, I'm not certain this would be a great developer experience.
The timing of when to trigger the credscan is a bit suspect, but perhaps we can add some sort of file-watcher (especially in the docker image) that runs credscan on any new recordings files?
EDIT 10/7.
Now that test-proxy has recording retrieval integrated, we have an excellent place to prevent cred leaks. We can place a scan on the push operation. Anything that would fail will prevent the push from happening.
Furthermore, @LarryOsterman has requested that this is a setting that can be enabled / disabled on the server.
This is a bit hazy at the moment due to the "when" part really affecting us. The most effective time to run credscan is as a
pre-commithook. However, given that its got more than a few local requirements, I'm not certain this would be a great developer experience.The timing of when to trigger the credscan is a bit suspect, but perhaps we can add some sort of file-watcher (especially in the docker image) that runs credscan on any new recordings files?
EDIT 10/7.
Now that test-proxy has recording retrieval integrated, we have an excellent place to prevent cred leaks. We can place a
scanon thepushoperation. Anything that would fail will prevent the push from happening.Furthermore, @LarryOsterman has requested that this is a setting that can be enabled / disabled on the server.