Skip to content

Standardize secrets detection to use script-based approach#102

Open
jordanpadams wants to merge 3 commits into
mainfrom
feature/101-standardize-detect-secrets
Open

Standardize secrets detection to use script-based approach#102
jordanpadams wants to merge 3 commits into
mainfrom
feature/101-standardize-detect-secrets

Conversation

@jordanpadams

Copy link
Copy Markdown
Member

🗒️ Summary

Replaces the inline slim-detect-secrets pre-commit hook and duplicated --exclude-files argument lists with a centralized scripts/detect_secrets_baseline.sh script. Per-repo file exclusions now live in .detect-secrets-ignore (one regex per line). Adds scripts/requirements.txt so Java repo contributors can install detect-secrets and pre-commit with a single pip install -r scripts/requirements.txt.

Files changed:

  • scripts/detect_secrets_baseline.sh — new script (scan / audit / check modes); Java-specific global excludes (target/)
  • scripts/requirements.txt — new; pins detect-secrets~=1.5.0 and pre-commit~=3.3.3
  • .detect-secrets-ignore — new per-repo exclusion file
  • .pre-commit-config.yaml — replaced remote slim-detect-secrets hook with local script hook
  • .github/workflows/secrets-detection.yaml — simplified to pip install -r scripts/requirements.txt + run script; fails fast if .secrets.baseline is missing
  • README.md — updated Secrets Detection and Pre-Commit sections to use script commands and scripts/requirements.txt

🤖 AI Assistance Disclosure

  • No AI assistance used
  • AI used for light assistance (e.g., suggestions, refactoring, documentation help, minor edits)
  • AI used for moderate content generation (AI generated some code or logic, but the developer authored or heavily revised the majority)
  • AI generated substantial portions of this code

Estimated % of code influenced by AI: 90 %

⚙️ Test Data and/or Report

The script logic mirrors the existing pattern used in cloud-tools, en-ops-utils, and template-repo-python (NASA-PDS/template-repo-python#146), which have been running this approach in production. The Java-specific adjustment is the global target/ exclude in place of Python-specific excludes.

♻️ Related Issues

Fixes #101

See also sister PR in template-repo-python: NASA-PDS/template-repo-python#146

🤓 Reviewer Checklist

Reviewers: Please verify the following before approving this pull request.

Documentation and PR Content

  • Documentation: README, Wiki, or inline documentation (Sphinx, Javadoc, Docstrings) have been updated to reflect these changes.
  • Issue Traceability: The PR is linked to a valid GitHub Issue
  • PR Title: The PR title is "user-friendly" clearly identifying what is being fixed or the new feature being added, that if you saw it in the Release Notes for a tool, you would be able to get the gist of what was done.

Security & Quality

  • SonarCloud: Confirmed no new High or Critical security findings.
  • Secrets Detection: Verified that the Secrets Detection scan passed and no sensitive information (keys, tokens, PII) is exposed.
  • Code Quality: Code follows organization style guidelines and best practices for the specific language (e.g., PEP 8, Google Java Style).

Testing & Validation

  • Test Accuracy: Verified that test data is accurate, representative of real-world PDS4 scenarios, and sufficient for the logic being tested.
  • Coverage: Automated tests cover new logic and edge cases.
  • Local Verification: (If applicable) Successfully built and ran the changes in a local or staging environment.

Maintenance

  • Backward Compatibility: Confirmed that these changes do not break existing downstream dependencies or API contracts (or that breaking changes are clearly documented).

jordanpadams and others added 2 commits July 2, 2026 17:23
Replace inline slim-detect-secrets hook and duplicated --exclude-files
args with scripts/detect_secrets_baseline.sh, which centralizes all
scan logic and reads per-repo exclusions from .detect-secrets-ignore.
Adds scripts/requirements.txt so Java repos can install detect-secrets
and pre-commit with a single pip install -r scripts/requirements.txt.

Closes #101

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Comment thread .secrets.baseline
},
{
"name": "EmailAddressDetector"
"name": "GitHubTokenDetector"

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the R98 comment on README.md; the EmailAddressDetector is removed, but the README mentiones "…secrets (email addresses, passwords, API keys, etc.)".

Either EmailAddressDetector has to come back, or the "email addresses" needs to go from the README.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot can you update?

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in e36cacb.

Comment thread README.md Outdated
```

#### 🪝 Pre-Commit Hooks
Make a baseline for any secrets (email addresses, passwords, API keys, etc.) in the repository:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the R27 comment on .secrets.baseline; the EmailAddressDetector is removed, but the README mentiones "…secrets (email addresses, passwords, API keys, etc.)".

Either EmailAddressDetector has to come back, or the "email addresses" needs to go from the README.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot can you update?

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in e36cacb: README now removes “email addresses” from the secrets examples so it aligns with the current detectors in .secrets.baseline.

@nutjob4life nutjob4life left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excelsior! Thanks for this @jordanpadams; this is a great improvement to secrets detection.

I heartily approve.

I did have two minor interspersed comments (c.f.), but they don't stand in the way of approval to me.

@sonarqubecloud

sonarqubecloud Bot commented Jul 4, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Standardize secrets detection to use script-based approach

3 participants