New check: code is scanning for secrets

[kimsterv]

No description provided.

[mwarkentin]

A check that something like trufflehog (or other secret scanners) are running would be nice:

• https://github.com/dxa4481/truffleHog
• https://github.com/marketplace/actions/trufflehog-actions-scan

[inferno-chromium]

Some examples from Google VRP program, see here - https://docs.google.com/document/d/10GWKW55YD6ZmHcJmQ2ZFu7jv75zyasHvx2O3yyRrfDI/edit

[naveensrinivasan]

Some examples from Google VRP program, see here - https://docs.google.com/document/d/10GWKW55YD6ZmHcJmQ2ZFu7jv75zyasHvx2O3yyRrfDI/edit

Don't have access to the doc.

[laurentsimon]

We may check for the presence of the .gitignore file and check sensitive files like private keys formats and other are listed.
Besides password/private key files, we can also add .bash_history

[laurentsimon]

Note that Github's scanning is enabled by default for public repos.

[laurentsimon]

There's also https://github.blog/2022-12-15-leaked-a-secret-check-your-github-alerts-for-free/, which shows a setting we could use.

[afmarcum]

This feature does not align with the current project focus. If there is no feedback in the next 7 days to the contrary, then this issue will be closed.

[spencerschrock]

Keeping open as there was interest here: #3399

[lucasgonze]

If this can also check for Snyk secret scanning, the output will be less noisy.

[Danajoyluck]

TAC requested adding secret scanning and push protection to the security baseline, ossf/tac#333. This check will be a super helpful verification and audit tool