Standardize secrets detection to use script-based approach#146
Standardize secrets detection to use script-based approach#146jordanpadams wants to merge 3 commits into
Conversation
Replace inline slim-detect-secrets hook and duplicated --exclude-files args with scripts/detect_secrets_baseline.sh, which centralizes all scan logic and reads per-repo exclusions from .detect-secrets-ignore. Adds detect-secrets~=1.5.0 to dev extras so it installs with the venv. Closes #145 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remind users who create repos from this template to update CLAUDE.md for their specific project before using it with Claude Code. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
nutjob4life
left a comment
There was a problem hiding this comment.
Bravo! Thank you so much for buffing out the sharp "detect-secrets–shaped" edges in the template repository.
I heartily approve: ✅
However, I did notice a couple minor things in the script. Want to take a look? They could be ignored just fine, too.
| elif [ "$1" = "audit" ]; then | ||
| $DETECT_SECRETS audit .secrets.baseline | ||
| else | ||
| # Check 1: Fail if any secrets in the baseline have not been audited |
There was a problem hiding this comment.
The CI version (GitHub Actions) has a nice explicit check for .secrets.baseline but this script falls through to Python to produce (possibly ugly) stack trace if it's missing. Should we have a similar check here?
| fi | ||
|
|
||
| # Check 2: Fail if any new secrets are detected that are not in the baseline | ||
| cp .secrets.baseline .secrets.new |
There was a problem hiding this comment.
Let's add an EXIT trap here so temporary files get cleaned up if anything gets interrupted:
trap 'rm -f .secrets.new' EXIT
You can then remove (or keep if you like things explicit) all the other rm -f .secrets.new. (I vote keep, but I do get kind of explicit! 😎)
🗒️ Summary
Replaces the inline
slim-detect-secretspre-commit hook and duplicated--exclude-filesargument lists with a centralizedscripts/detect_secrets_baseline.shscript. Per-repo file exclusions now live in.detect-secrets-ignore(one regex per line) rather than being copy-pasted into every hook and workflow.Files changed:
scripts/detect_secrets_baseline.sh— new script (scan / audit / check modes).detect-secrets-ignore— new per-repo exclusion file.pre-commit-config.yaml— replaced remoteslim-detect-secretshook with local script hook.github/workflows/secrets-detection.yaml— simplified topip install detect-secrets~=1.5.0+ run script; fails fast if.secrets.baselineis missingsetup.cfg— addeddetect-secrets~=1.5.0to[options.extras_require] devREADME.md— updated detect-secrets section to use script commandsCLAUDE.md— added secrets detection sectiondocs/wiki-detect-secrets.md— replacement content for the NASA-PDS wiki detect-secrets section🤖 AI Assistance Disclosure
Estimated % of code influenced by AI: 90 %
⚙️ Test Data and/or Report
The script logic was validated against the existing pattern used in
cloud-toolsanden-ops-utils, which have been running this approach in production. The GitHub Actions workflow change is mechanical (same scan logic, delegated to script). No functional change to what is scanned.♻️ Related Issues
Fixes #145
🤓 Reviewer Checklist
Reviewers: Please verify the following before approving this pull request.
Documentation and PR Content
Security & Quality
Testing & Validation
Maintenance