2a0168b1e6
This adds the following: - A detect-secrets dependency and a related script (`script/detect_secrets`) to find and alert developers to secrets added to the code. By default, the script will search staged and new, unstaged files. It can optionally search only staged files. - A whitelist, `.secrets.baseline`, that tracks instances of secrets or false positives already in the repo. - Modifies `script/test` to detect secrets as part of the test suite. - Updates to the README regarding the use of detect-secrets.
44 lines
1.1 KiB
Python
Executable File
44 lines
1.1 KiB
Python
Executable File
#! .venv/bin/python
|
|
import subprocess
|
|
import sys
|
|
|
|
from detect_secrets.pre_commit_hook import main as find_secrets
|
|
|
|
|
|
TRACKED_CHANGES = ["git", "diff", "HEAD", "--name-only"]
|
|
STAGED_CHANGES = ["git", "diff", "--cached", "--name-only"]
|
|
UNTRACKED_CHANGES = ["git", "ls-files", "--others", "--exclude-standard"]
|
|
|
|
|
|
def git_file_list(cmd):
|
|
comproc = subprocess.run(cmd, capture_output=True)
|
|
return [f.decode() for f in comproc.stdout.split()]
|
|
|
|
|
|
def git_staged_files():
|
|
return git_file_list(STAGED_CHANGES)
|
|
|
|
|
|
def git_all_files():
|
|
return git_file_list(TRACKED_CHANGES) + git_file_list(UNTRACKED_CHANGES)
|
|
|
|
|
|
def main(arg):
|
|
"""
|
|
If `arg` is "staged", this will only check files that have been
|
|
staged to the git index. Otherwise, it will check staged and
|
|
unstaged files.
|
|
"""
|
|
files = []
|
|
if arg == "staged":
|
|
files = git_staged_files()
|
|
else:
|
|
files = git_all_files()
|
|
|
|
return find_secrets(["--baseline", ".secrets.baseline"] + files)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
arg = sys.argv[1] if len(sys.argv) > 1 else None
|
|
sys.exit(main(arg))
|