We would like to scan artifacts in our Sonatype Nexus Repository (OSS 3.70.1-02, not PRO) for sensitive content to find things that our on-prem developers might have left in source code inadvertently - for example, any credentials like client IDs, client secrets, passwords, or private keys.
Does anyone have a recommendation for a strategy that might support this effort? At present the best solution I have is to individually submit JARs, WARs ZIPs etc to an external service for which we’re licensed – manually. Given the number of releases we have, that’s very impractical.
Hello George, I am doing something very similar in my project. I am implementing a plugin, that pushes the content from NXRM3 to Maven Central and prior the push it scans the artifacts for rules mandatory for Maven Central artifacts.
While you need to have different set of tests, you may get the inspiration how I crawl the content. I originally supported both Postgres and OrientDB configurations (thus the split to multiple jars).
In my case I am tagging the faulty artifacts, which you can not do with OSS version, but you can still log the problems and possibly do other actions with that.