Contents
This article will introduce you to a tool called detect-secrets that can help protect you from accidentally leaking sensitive information in your code repositories.
It is crucial to ensure that confidential data such as passwords and private keys are protected when working on software development projects. Nevertheless, there is a risk of unintentionally exposing this information by including it in code repositories, which can be accessed by anyone who has access to the repository. Hence, it is vital to implement precautions to prevent such data breaches.
What is detect-secrets
detect-secrets is an open-source tool that can scan files within a repository for potentially sensitive information, such as private keys, API keys, passwords, or other sensitive data. It works by analyzing code for patterns that match certain types of secrets and alerts developers if any are found.
To use detect-secrets, you'll need to have pipx and pre-commit installed.
pipx is a tool for managing Python applications that are installed globally, but isolated from the system Python environment. This helps ensure that different applications don't interfere with each other. Install it as follows:
python3 -m pip install --user pipxpre-commit is a tool for setting up and managing pre-commit hooks in your code repository. Pre-commit hooks are scripts that run before committing code, allowing you to catch issues before they're committed to the repository. Install it as follows:
pipx install pre-commitInstall detect-secrets as follows:
pipx install detect-secretsRun the following command to scan your code repository for sensitive information and create a baseline file. This file will contain a list of known secrets for your repository:
detect-secrets scan > .secrets.baselineCheck the generated .secrets.baseline file thoroughly. If you have important secrets detected there, remove them from the code. Otherwise, mark each detected secret as verified by setting is_verified: true.
Example `.secrets.baseline` file:
{
"results": {
"README.rst": [
{
"type": "Secret Keyword",
"filename": "README.rst",
"hashed_secret": "077d5a0e0f8bb517307a6e92a73b0a9aa959233c",
"is_verified": true,
"line_number": 311
}
],
"project/settings.py": [
{
"type": "Secret Keyword",
"filename": "project/settings.py",
"hashed_secret": "2e56b31925af569c194d2cc738d1f1bc22b63df0",
"is_verified": true,
"line_number": 68
}
]
},
"generated_at": "2023-01-06T00:15:43Z"
}Add the following line in your .pre-commit-config.yaml to include the detect-secrets hook. This will automatically run detect-secrets on your code before each commit, so you can catch any new secrets that have been accidentally added:
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets
name: Detect secrets
language: python
entry: detect-secrets-hook
args: ['--baseline', '.secrets.baseline']Example `.pre-commit-config.yaml` file:
exclude: "^/migrations/"
default_stages: [ commit, push ]
default_language_version:
python: python3
repos:
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets
name: Detect secrets
language: python
entry: detect-secrets-hook
args: ['--baseline', '.secrets.baseline']Now that you've created a baseline file, you need to integrate detect-secrets into your workflow. To activate pre-commit in your repository, run the following command:
pre-commit installOnce you've done that, you're ready to use detect-secrets to scan your code and prevent accidental leaks of sensitive information!
You're now ready to use detect-secrets to protect your code repository from accidental leaks of sensitive information. But remember, this tool is only one part of a comprehensive security strategy. Be sure to follow best practices for code security, such as:
- Using secure passwords and private keys.
- Limiting access to sensitive information only to those who need it.
- Encrypting sensitive information in transit and at rest.
- Regularly reviewing and updating security policies and procedures.