True and false positive.

[tmg-pub]

Hi, thanks for the heads up, and this is a neat service. I got a report about a discord API being exposed, and I assume it's this line in my example configuration file.

# List of Discord webhooks to broadcast updates to.
discord_webhooks:
 - url: "https://discordapp.com/api/webhooks/667885980094562334/eNViZSC-hEAw0a0pavbNJsbgwzLSofVB6MpOsOZD3_8hh4WyQn38kysWuzlcRtsyRNMR"

This is a webhook that I generated, copied, and then revoked—to use as an accurate example the user can see. I don't know how possible it would be to test if a webhook is valid or not, but this would be a true positive in the sense that it was a valid webhook for a moment, but a false positive in that it's not valid.

Have fun. :)

[oo-de-lally]

Thanks for the note @tmg-pub! Really interesting point about Discord webhooks and False Positives :)

We should add something like this in our documentation:

"It is important to discuss what we call FP. For example, test keys, synthetic keys or keys that were once valid aren’t considered FPs for us. Indeed, from an external point of view, it is hard to tell. Also, we’ve seen allegedly “test” keys being put in production. We try to limit however what we call “example keys”. An example key is a key that contains certain keywords in it like “example”, or a key that appears so many times on GitHub that it cannot be a secret. FPs in our definition are blatant errors, like example keys."

Have fun and take care!