Hello Developer Community! I am Srivathsav from the Atlassian Marketplace Security team. I would like to make an announcement about Ecoscanner’s new capabilities.
As a part of our ongoing commitment to build trust with customers, Atlassian has launched new capabilities for Ecoscanner, which include the ability to scan Data Center apps on the Marketplace for hardcoded secrets and potential malware.
These previously announced features are a significant improvement to prior iterations of Ecoscanner, which were limited to cloud apps.
Partners with partner portal access can view the full announcement in the Partner Portal blog. Refer to Atlassian Community post here.
Thank you for reaching out @jens , we built our internal secret scanning solution using open source secret detectors like trufflehog. Additionally, we validate detected secrets to avoid false positives. You can try out trufflehog, git-secrets to scan for such secrets yourselves.
I would just like to second @jens request that the solution that Atlassian actually uses be considered to be opensource or in some way made available for marketplace partners themselves.
We can run trufflehog, but it will inevitably give different results to Atlassian’s scanners and as jens mentioned we want to avoid release time surprises from false positives.