Skip to content

Standardize secrets detection to use script-based approach#146

Open
jordanpadams wants to merge 3 commits into
mainfrom
feature/145-standardize-detect-secrets
Open

Standardize secrets detection to use script-based approach#146
jordanpadams wants to merge 3 commits into
mainfrom
feature/145-standardize-detect-secrets

Conversation

@jordanpadams

Copy link
Copy Markdown
Member

🗒️ Summary

Replaces the inline slim-detect-secrets pre-commit hook and duplicated --exclude-files argument lists with a centralized scripts/detect_secrets_baseline.sh script. Per-repo file exclusions now live in .detect-secrets-ignore (one regex per line) rather than being copy-pasted into every hook and workflow.

Files changed:

  • scripts/detect_secrets_baseline.sh — new script (scan / audit / check modes)
  • .detect-secrets-ignore — new per-repo exclusion file
  • .pre-commit-config.yaml — replaced remote slim-detect-secrets hook with local script hook
  • .github/workflows/secrets-detection.yaml — simplified to pip install detect-secrets~=1.5.0 + run script; fails fast if .secrets.baseline is missing
  • setup.cfg — added detect-secrets~=1.5.0 to [options.extras_require] dev
  • README.md — updated detect-secrets section to use script commands
  • CLAUDE.md — added secrets detection section
  • docs/wiki-detect-secrets.md — replacement content for the NASA-PDS wiki detect-secrets section

🤖 AI Assistance Disclosure

  • No AI assistance used
  • AI used for light assistance (e.g., suggestions, refactoring, documentation help, minor edits)
  • AI used for moderate content generation (AI generated some code or logic, but the developer authored or heavily revised the majority)
  • AI generated substantial portions of this code

Estimated % of code influenced by AI: 90 %

⚙️ Test Data and/or Report

The script logic was validated against the existing pattern used in cloud-tools and en-ops-utils, which have been running this approach in production. The GitHub Actions workflow change is mechanical (same scan logic, delegated to script). No functional change to what is scanned.

♻️ Related Issues

Fixes #145

🤓 Reviewer Checklist

Reviewers: Please verify the following before approving this pull request.

Documentation and PR Content

  • Documentation: README, Wiki, or inline documentation (Sphinx, Javadoc, Docstrings) have been updated to reflect these changes.
  • Issue Traceability: The PR is linked to a valid GitHub Issue
  • PR Title: The PR title is "user-friendly" clearly identifying what is being fixed or the new feature being added, that if you saw it in the Release Notes for a tool, you would be able to get the gist of what was done.

Security & Quality

  • SonarCloud: Confirmed no new High or Critical security findings.
  • Secrets Detection: Verified that the Secrets Detection scan passed and no sensitive information (keys, tokens, PII) is exposed.
  • Code Quality: Code follows organization style guidelines and best practices for the specific language (e.g., PEP 8, Google Java Style).

Testing & Validation

  • Test Accuracy: Verified that test data is accurate, representative of real-world PDS4 scenarios, and sufficient for the logic being tested.
  • Coverage: Automated tests cover new logic and edge cases.
  • Local Verification: (If applicable) Successfully built and ran the changes in a local or staging environment.

Maintenance

  • Backward Compatibility: Confirmed that these changes do not break existing downstream dependencies or API contracts (or that breaking changes are clearly documented).

Replace inline slim-detect-secrets hook and duplicated --exclude-files
args with scripts/detect_secrets_baseline.sh, which centralizes all
scan logic and reads per-repo exclusions from .detect-secrets-ignore.
Adds detect-secrets~=1.5.0 to dev extras so it installs with the venv.

Closes #145

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jordanpadams jordanpadams requested a review from a team as a code owner July 2, 2026 22:34
@jordanpadams jordanpadams self-assigned this Jul 2, 2026
Remind users who create repos from this template to update CLAUDE.md
for their specific project before using it with Claude Code.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

@nutjob4life nutjob4life left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bravo! Thank you so much for buffing out the sharp "detect-secrets–shaped" edges in the template repository.

I heartily approve: ✅

However, I did notice a couple minor things in the script. Want to take a look? They could be ignored just fine, too.

elif [ "$1" = "audit" ]; then
$DETECT_SECRETS audit .secrets.baseline
else
# Check 1: Fail if any secrets in the baseline have not been audited

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CI version (GitHub Actions) has a nice explicit check for .secrets.baseline but this script falls through to Python to produce (possibly ugly) stack trace if it's missing. Should we have a similar check here?

fi

# Check 2: Fail if any new secrets are detected that are not in the baseline
cp .secrets.baseline .secrets.new

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add an EXIT trap here so temporary files get cleaned up if anything gets interrupted:

trap 'rm -f .secrets.new' EXIT

You can then remove (or keep if you like things explicit) all the other rm -f .secrets.new. (I vote keep, but I do get kind of explicit! 😎)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Standardize secrets detection to use script-based approach

2 participants