Scripts for finding accidental secrets in the repo.

This adds the following:
- A detect-secrets dependency and a related script
  (`script/detect_secrets`) to find and alert developers to secrets
  added to the code. By default, the script will search staged and new,
  unstaged files. It can optionally search only staged files.
- A whitelist, `.secrets.baseline`, that tracks instances of secrets or
  false positives already in the repo.
- Modifies `script/test` to detect secrets as part of the test suite.
- Updates to the README regarding the use of detect-secrets.

script/detect_secrets

@@ -0,0 +1,43 @@
+#! .venv/bin/python
+import subprocess
+import sys
+
+from detect_secrets.pre_commit_hook import main as find_secrets
+
+
+TRACKED_CHANGES = ["git", "diff", "HEAD", "--name-only"]
+STAGED_CHANGES = ["git", "diff", "--cached", "--name-only"]
+UNTRACKED_CHANGES = ["git", "ls-files", "--others", "--exclude-standard"]
+
+
+def git_file_list(cmd):
+    comproc = subprocess.run(cmd, capture_output=True)
+    return [f.decode() for f in comproc.stdout.split()]
+
+
+def git_staged_files():
+    return git_file_list(STAGED_CHANGES)
+
+
+def git_all_files():
+    return git_file_list(TRACKED_CHANGES) + git_file_list(UNTRACKED_CHANGES)
+
+
+def main(arg):
+    """
+    If `arg` is "staged", this will only check files that have been
+    staged to the git index. Otherwise, it will check staged and
+    unstaged files.
+    """
+    files = []
+    if arg == "staged":
+        files = git_staged_files()
+    else:
+        files = git_all_files()
+
+    return find_secrets(["--baseline", ".secrets.baseline"] + files)
+
+
+if __name__ == "__main__":
+    arg = sys.argv[1] if len(sys.argv) > 1 else None
+    sys.exit(main(arg))

script/test

@@ -24,5 +24,8 @@ RUN_JS_TESTS="true"
 # Check python formatting
 source ./script/format check
 
+# Check for secrets
+./script/detect_secrets
+
 # Run the shared test script
 source ./script/include/run_test