Doesn't seem to work

[retr0h]

I'm having a hard time understanding how to use this. I have a branch with some known passwords. They are properly reported when running scan and the baseline has been created.

I switch into a different branch which has new password. Running the pre-commit hook against the baseline does not report the new password. However, if I run scan in the new branch, it does indeed identify the password.

Obviously, I am doing something wrong. Is there a way I can simply run detect-secrets w/o the commit hook. I was hoping to run this in CI as a pre-commit as well, w/o needing detect-secrets-server.

[domanchi]

Hi @retr0h,

Can you post some code snippets so that we can reproduce your issue on our end? It's very hard to debug what's wrong without referencing specific examples.

[retr0h]

@domanchi here you go

https://github.com/retr0h/detect-secrets-192

I'm simply wanting a way to ensure the new passwords that get added are found. I assumed if a new password was found and wasn't in baseline, I would be notified of this. I was looking to run the pre-commit hook, and also as a premerge gate job with tox.

[domanchi]

Looking at your repro steps in https://github.com/retr0h/detect-secrets-192/blob/master/README.md, my reckoning is that you need to run the correct invocation of the detect-secrets-hook. Assuming you modified docker-compose-base.yaml and trying to commit it, you would run:

$ detect-secrets-hook --baseline .secrets.baseline docker-compose-base.yaml

This hook was initially designed to be compatible with https://pre-commit.com/, and that engine essentially passes all staged files as arguments to the hook.

[retr0h]

@domanchi thank you. Looks like I could compare against non-staged files as well with:

detect-secrets-hook --baseline .secrets.baseline $(git ls-files)