Standardize secrets detection to use script-based approach#102
Standardize secrets detection to use script-based approach#102jordanpadams wants to merge 3 commits into
Conversation
Replace inline slim-detect-secrets hook and duplicated --exclude-files args with scripts/detect_secrets_baseline.sh, which centralizes all scan logic and reads per-repo exclusions from .detect-secrets-ignore. Adds scripts/requirements.txt so Java repos can install detect-secrets and pre-commit with a single pip install -r scripts/requirements.txt. Closes #101 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
| }, | ||
| { | ||
| "name": "EmailAddressDetector" | ||
| "name": "GitHubTokenDetector" |
There was a problem hiding this comment.
See the R98 comment on README.md; the EmailAddressDetector is removed, but the README mentiones "…secrets (email addresses, passwords, API keys, etc.)".
Either EmailAddressDetector has to come back, or the "email addresses" needs to go from the README.
| ``` | ||
|
|
||
| #### 🪝 Pre-Commit Hooks | ||
| Make a baseline for any secrets (email addresses, passwords, API keys, etc.) in the repository: |
There was a problem hiding this comment.
See the R27 comment on .secrets.baseline; the EmailAddressDetector is removed, but the README mentiones "…secrets (email addresses, passwords, API keys, etc.)".
Either EmailAddressDetector has to come back, or the "email addresses" needs to go from the README.
There was a problem hiding this comment.
Updated in e36cacb: README now removes “email addresses” from the secrets examples so it aligns with the current detectors in .secrets.baseline.
nutjob4life
left a comment
There was a problem hiding this comment.
Excelsior! Thanks for this @jordanpadams; this is a great improvement to secrets detection.
I heartily approve.
I did have two minor interspersed comments (c.f.), but they don't stand in the way of approval to me.
|



🗒️ Summary
Replaces the inline
slim-detect-secretspre-commit hook and duplicated--exclude-filesargument lists with a centralizedscripts/detect_secrets_baseline.shscript. Per-repo file exclusions now live in.detect-secrets-ignore(one regex per line). Addsscripts/requirements.txtso Java repo contributors can installdetect-secretsandpre-commitwith a singlepip install -r scripts/requirements.txt.Files changed:
scripts/detect_secrets_baseline.sh— new script (scan / audit / check modes); Java-specific global excludes (target/)scripts/requirements.txt— new; pinsdetect-secrets~=1.5.0andpre-commit~=3.3.3.detect-secrets-ignore— new per-repo exclusion file.pre-commit-config.yaml— replaced remoteslim-detect-secretshook with local script hook.github/workflows/secrets-detection.yaml— simplified topip install -r scripts/requirements.txt+ run script; fails fast if.secrets.baselineis missingREADME.md— updated Secrets Detection and Pre-Commit sections to use script commands andscripts/requirements.txt🤖 AI Assistance Disclosure
Estimated % of code influenced by AI: 90 %
⚙️ Test Data and/or Report
The script logic mirrors the existing pattern used in
cloud-tools,en-ops-utils, andtemplate-repo-python(NASA-PDS/template-repo-python#146), which have been running this approach in production. The Java-specific adjustment is the globaltarget/exclude in place of Python-specific excludes.♻️ Related Issues
Fixes #101
See also sister PR in template-repo-python: NASA-PDS/template-repo-python#146
🤓 Reviewer Checklist
Reviewers: Please verify the following before approving this pull request.
Documentation and PR Content
Security & Quality
Testing & Validation
Maintenance