Skip to content

A developer-friendly secrets detection tool for CI and pre-commit hooks based on Yelp's detect-secrets

License

Notifications You must be signed in to change notification settings

lirantal/detect-secrets

Repository files navigation

detect-secrets

A developer-friendly secrets detection tool for CI and pre-commit hooks

npm version license downloads build codecov Known Vulnerabilities Security Responsible Disclosure

About

The detect-secrets npm package is a Node.js-based wrapper for Yelp's detect-secrets tool that aims to provide an accessible and developer-friendly method of introducing secrets detection in pre-commit hooks.

Yelp's detect-secrets is based on Python and requires explicit installation from developers. Moreover, its installation may be challenging in different operating systems. detect-secrets aims to alleviate this challenge by:

  1. Attempt to locate Yelp's detect-secrets tool, and if it exists in the path to execute it.

If it fails it continues to:

  1. Attempt to locate the docker binary and if it exists it will download and execute the docker container for lirantal/detect-secrets which has Yelp's detect-secrets inside the image.

If this fails as well:

  1. Exit with a warning message

--

The above described fallback strategy is used to find an available method of executing the detect-secrets tool to protect the developer from leaking secrets into source code control.

Install

npm install --save detect-secrets

This will expose detect-secrets-launcher Node.js executable file.

Another way to invoke it is with npx which will download and execute the detect-secrets wrapper on the fly:

npx detect-secrets [arguments]

Usage

If you're using husky to manage pre-commit hooks configuration, then enabling secrets detection is as simple as adding another hook entry.

"husky": {
    "hooks": {
      "pre-commit": "detect-secrets-launcher src/*"
    }
  }

If you're using husky and lint-staged to manage pre-commit hooks configuration and running static code analysis on staged files, then enabling secrets detection is as simple as adding another lint-staged entry.

A typical setup will look like this as an example:

"husky": {
  "hooks": {
    "pre-commit": "lint-staged"
  },
},
"lint-staged": {
  "linters": {
    "**/*.js": [
      "detect-secrets-launcher --baseline .secrets-baseline"
    ]
  }
}

If you're not using a baseline file (it is created using Yelp's server-side detect-secrets tool) then you can simply omit this out and keep it as simple as detect-secrets-launcher.

Example

To scan the index.js file within a repository for the potential of leaked secrets inside it run the following:

detect-secrets-launcher index.js

Note that index.js has to be staged and versioned control. Any other plain file that is not known to git will not be scanned.

Contributing

Please consult CONTIRBUTING for guidelines on contributing to this project.

Author

detect-secrets © Liran Tal, Released under the Apache-2.0 License.

About

A developer-friendly secrets detection tool for CI and pre-commit hooks based on Yelp's detect-secrets

Topics

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published