New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PLATFORM-3565: add detect-secrets formula #13
PLATFORM-3565: add detect-secrets formula #13
Conversation
This looks correct in terms of adding to the formulas in the repo but I was a bit confused on the context. I ended up following through some of those links in your description and hit this one: https://github.com/artsy/potential/pull/414. And this really helped me understand the problem:
So we have modified the formula temporarily so that we can use If I'm understanding correctly then while we're in this temporary state we essentially have a fork of the official version and it would be a manual process of checking on the official one for updates and then applying those changes here, right? Seems somewhat risky? Maybe we merge this and set a reminder to revisit in a month or so? Wishing there was a better way here. |
Yea, that is exactly right. To expand a bit more on that, If we keep it in potential and use the
Yep, unfortunately this is the case and if not for that bug with I agree, having a reminder would help with keeping on top of this 👍. Going to look into this and thanks for suggesting. RE: IBM fork. I haven't looked into it much lately but I probably should revisit. I wonder if they have a brew package... IIRC the only way to use it was to install via pip and this is not ideal and something we are actively trying to avoid. |
Ok thanks for writing this up, really helpful context! I'm going to merge this and we can retro on how this went as time passes. This |
FYI - there has been some recent discussion towards the continued maintenance of detect-secrets. There's even an open PR that addresses the bug this formula works around. There is also the project Gitleaks (sponsored by Tines that might consider switching to if the maintenance issue persists. Looks like it was recently integrated into GitLab as part of a "secret detection" feature (source). One meta question - what's the best way to remind ourselves to check in on this in the future? Slack channel reminder? |
@dblandin 👋, thanks for looking into this and for presenting alternatives as well! To answer the meta question, there is a reminder created in #product-platform that helps us keep an eye on this open issue. I will take a closer look at the gitleaks tool and how it works but after a quick look at the repo, I wasn't able to determine if the gitleaks tool provides a similar feature to detect-secrets baseline file, which I believe was one of the (key) features that we liked about (detect-secrets) tool when deciding on which tool to adopt. Do you happen to know if gitleaks offers something similar? |
https://artsyproduct.atlassian.net/browse/PLATFORM-3565
As part of piloting a new process for
detect-secrets
it would be really helpful if instead of having to direct contributors to https://github.com/artsy/potential to install the modified formula we could just runbrew install ...
which would steamline rolling this tool out across the org.