pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Scripts for finding accidental secrets in the repo.

Browse Source 
This adds the following:
- A detect-secrets dependency and a related script
  (`script/detect_secrets`) to find and alert developers to secrets
  added to the code. By default, the script will search staged and new,
  unstaged files. It can optionally search only staged files.
- A whitelist, `.secrets.baseline`, that tracks instances of secrets or
  false positives already in the repo.
- Modifies `script/test` to detect secrets as part of the test suite.
- Updates to the README regarding the use of detect-secrets.
This commit is contained in:
dandds
2019-08-09 08:55:51 -04:00
parent a941cca5e6
commit 2a0168b1e6
6 changed files with 313 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
README.md
View File

@@ -256,3 +256,38 @@ location /login-dev {
```
The location block will require the same proxy pass configuration as other location blocks for the app.
## Secrets Detection
This project uses [detect-secrets](https://github.com/Yelp/detect-secrets) to help prevent secrets from being checked into source control. Secret detection is run automatically as part of `script/test` and can be run separately with `script/detect_secrets`.
If you need to check in a file that raises false positives from `detect-secrets`, you can add it to the whitelist. Run:
```
pipenv run detect-secrets scan --update .secrets.baseline
```
and then:
```
pipenv run detect-secrets audit .secrets.baseline
```
The audit will open an interactive prompt where you can whitelist the file. This is useful if you're checking in an entire file that looks like or is a secret (like a sample PKI file).
Alternatively, you can add a `# pragma: allowlist secret` comment to the line that raised the false positive. See the [detect-secret](https://github.com/Yelp/detect-secrets#inline-allowlisting) docs for more information.
It's recommended that you add a pre-commit hook to invoke `script/detect_secrets`. Add the example below or something equivalent to `.git/hooks/pre-commit`:
```
#!/usr/bin/env bash
if ./script/detect_secrets staged; then
echo "secrets check passed"
else
echo -e "**SECRETS DETECTED**"
exit 1
fi
```
Also note that if the line number of a previously whitelisted secret changes, the whitelist file, `.secrets.baseline`, will be updated and needs to be committed.