feat(security): prevent secrets from leaking to source control #59
Conversation
lirantal
force-pushed
the
feat/detect-secrets
branch
from
ab4fae2
to
6ebb3a7
Compare
|
@boyney123 I updated this PR to include the newest version of detect-secrets and the secrets baseline |
|
Looks great @lirantal , sorry its taken so long to look at! Just reviewing now, how can I run this locally to verify it? |
|
@boyney123 fetch this branch locally, run an install to pull the required libraries introduced here so you have them installed and then try to change a JS file in the project, add to it something suspecious like The secrets detection will only kick-in if you have that python lib installed, or docker so it can pull an image for it. Otherwise it's going to silently fail to not disturb developers/contributors on this project. |
|
Awesome, looking good! Love this. I think it only works in the What do you think? Should we add it to all three projects inside?
|
|
Yay 🎉 Indeed I only added it specifically to the server project as an early PR. How about we merge so we can push this in without being too far from master's tip and then I'll send another PR to include the client/ project as well? What is the 3rd project? :-) |
|
Yeah that sounds great. There is:
I will merge this in soon (il get a minor release out and document the change :) ) |
|
Sounds good @boyney123 |
* 1.2.0 (#62) * Update changelog for 1.2.0 * feat(security): prevent secrets from leaking to source control (#59) * feat(security): prevent secrets from leaking to source control * chore: update lint-staged pacakgeto use v9 * fix: update versions * fix(security): add secrets baseline * 🚧 Added two extra status codes * ✅ Unit checks now validates options groups * 🚧 Label is only visible as a label attribute
* Update changelog for 1.2.0 * Fix/#2 status codes (#65) * 1.2.0 (#62) * Update changelog for 1.2.0 * feat(security): prevent secrets from leaking to source control (#59) * feat(security): prevent secrets from leaking to source control * chore: update lint-staged pacakgeto use v9 * fix: update versions * fix(security): add secrets baseline * 🚧 Added two extra status codes * ✅ Unit checks now validates options groups * 🚧 Label is only visible as a label attribute * Update changelog for 1.2.1 * fix(security): clean up markdown (#64) * Update changelog for 1.2.1
What:
Detect secrets when files are committed so we can prevent from these leaking into source contorl.
Why:
Adds support through
detect-secretswhich wraps Yelp's generic detect-secrets tool, to test for secrets being committed to source control using the pre-commit framework the project already has, and as a result prevent secrets like passwords, tokens and others to leak into source control.How:
Introduce husky, lint-staged and detect-secrets tool to create pre-commit hooks which will run the detect-secrets-launcher tool to detect detects for files being committed.
The
detect-secretsnpm package will try different methods of invoking thedetect-secrets-hooktool to run the secrets test for each file, and if it isn't able to find it will silently fail to not interrupt developer workflow. In a future re-visit of this capability we can update this to be a breaking change and fail the commit (or perhaps fail the CI, which might be a bit late, but better than never).Checklist: