Inclusion of example JWT in README.md is being flagged by secret scanning

[castellotti]

My employer has a Go repository which uses echo-jwt as a dependency, referenced as part of the vendored files in go.mod. The example JWT included in the README.md (both in a sample call and response) is getting flagged as an issue by secret scanning software. We can add an exclusion for this specific JWT as a work-around, but perhaps a documentation update to a use a placeholder would also be appropriate?

[aldas]

I assume []byte("secret") is the problematic part? IF you propose something that will pass your checks we probably can change it so.

[castellotti]

Thanks for the quick reply! The ticket being opened on our side begins:

Finding Name:
HTTP bearer authentication header

Finding Description:
GitHub Advanced security has discovered a secret in the repository "[repository name]" using the secret scanning pattern "HTTP bearer authentication header"

and simply highlights the full JWT text content. I believe more details are here.

I think changing the content of the token to something like YOURTOKEN would resolve the issue.

[aldas]

Ok, if it is Github then ChatGPT suggets that

If you routinely include such headers in docs, add .github/secret_scanning.yml to auto-close alerts for specific paths (e.g., README or /docs/**):

paths-ignore:
  - "README.md"
  # or, for all docs:
  # - "docs/**"

This will close matching alerts as “ignored by configuration.”

https://docs.github.com/en/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning

[aldas]

PR for github/secret_scanning.yml would be OK from our side

[castellotti]

Thanks again, I have created a PR with the suggested change.

[aldas]

alright, PR is merged, I hope it helps.