You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/code-security/secret-scanning/secret-scanning-partner-program.md
+8-22
Original file line number
Diff line number
Diff line change
@@ -103,12 +103,12 @@ to validate the messages you receive are genuinely from {% data variables.produc
103
103
104
104
The two HTTP headers to look for are:
105
105
106
-
-`GITHUB-PUBLIC-KEY-IDENTIFIER`: Which `key_identifier` to use from our API
107
-
-`GITHUB-PUBLIC-KEY-SIGNATURE`: Signature of the payload
106
+
-`Github-Public-Key-Identifier`: Which `key_identifier` to use from our API
107
+
-`Github-Public-Key-Signature`: Signature of the payload
108
108
109
109
You can retrieve the {% data variables.product.prodname_dotcom %} secret scanning public key from https://api.github.com/meta/public_keys/secret_scanning and validate the message using the `ECDSA-NIST-P256V1-SHA256` algorithm. The endpoint
110
110
will provide several `key_identifier` and public keys. You can determine which public
111
-
key to use based on the value of `GITHUB-PUBLIC-KEY-IDENTIFIER`.
111
+
key to use based on the value of `Github-Public-Key-Identifier`.
112
112
113
113
{% note %}
114
114
@@ -128,28 +128,14 @@ key to use based on the value of `GITHUB-PUBLIC-KEY-IDENTIFIER`.
The following code snippets demonstrate how you could perform signature validation.
154
140
The code examples assume you've set an environment variable called `GITHUB_PRODUCTION_TOKEN` with a generated [{% data variables.product.pat_generic %}](https://github.com/settings/tokens) to avoid hitting rate limits. The {% data variables.product.pat_generic %} does not need any scopes/permissions.
0 commit comments