New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: prevent secrets from leaking to source control #1373
Conversation
I do not yet understand the userstory / use case behind this. Can you describe your motivation @lirantal? |
Hi @DanielRuf , the context is outside of this website, I'm not sure whether you receive an invitation link cc: @lirantal ? |
I did a first try, I already deliver my outcome. We are testing this deeply. |
Not that I am aware of. Did I miss something? |
@DanielRuf this is related to the conversation we had on Twitter DM with regards to the open source security program. Let's continue chatting for more context. Do you feel this PR description, as-is, still misses on context? What else should I add? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested this deeply, under the following environments:
- Windows, no Docker, no Python.
- Mac, Docker and Python installed
- Mac Docker shutdown but installed and Python installed (it should fails)
- Mac Only Python installed.
Thanks @lirantal for this, it is gonna be a nice addition.
🤖This thread has been automatically locked 🔒 since there has not been any recent activity after it was closed. |
Type:
Feature
The following has been addressed in the PR:
Description:
Adds support through
detect-secrets
which wraps Yelp's generic detect-secrets tool, to test for secrets being committed to source control using the pre-commit framework the project already has, and as a result prevent secrets like passwords, tokens and others to leak into source control.The
detect-secrets
npm package will try different methods of invoking thedetect-secrets-hook
tool to run the secrets test for each file, and if it isn't able to find it will silently fail to not interrupt developer workflow. In a future re-visit of this capability we can update this to be a breaking change and fail the commit (or perhaps fail the CI, which might be a bit late, but better than never).