-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue #89: Update documentation for detect-secrets #95
Conversation
Configuration files (yaml, baseline file, and plugins) are stored at another repository: https://github.com/NASA-AMMOS/slim-config-detect-secrets
Configuration files (yaml, baseline file, and plugins) are stored at another repository: https://github.com/NASA-AMMOS/slim-config-detect-secrets
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Excellent job here @perryzjc - this is a wonderful feature you've proposed and added and it is going to be invaluable for many projects. Your documentation was very clear. There's a few problems I encountered that you may want to help on, and some suggestions. Excited to get this integrated soon.
|
||
``` | ||
Starter Kit: | ||
1. Create a workflow file `detect-secrets.yaml` in `.github/workflows` directory from your repository root. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After running this on a fresh repository on GitHub, I received the following in the GH Actions workflow log (see trace here):
Run # scripts to scan repository for new secrets
cp: cannot stat '.secrets.baseline': No such file or directory
Error: Process completed with exit code 1.
Is there a way you can check for and create a blank .secrets.baseline
file if being run for the first time on a repo that has never used detect secrets before?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
try touch .secrets.baseline && <additional_command>
which will ensure it's always there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
try
touch .secrets.baseline && <additional_command>
which will ensure it's always there.
Yep, I have a similar idea. But due to the format requirement of the baseline file (detect-secrets version can be different), my new solution is to generate the blank baseline file (but with the correct config) by scanning the result on an empty folder.
- name: Create a blank .secrets.baseline (but with correct configuration) if it does not exist
run: |
if [ ! -f .secrets.baseline ]; then
# The generated baseline file will only be available temporarily on the GitHub side and will not appear on the user's local files
# Scanning an empty folder ensures no initial secrets are included
echo "⚠️ No existing .secrets.baseline file detected. Creating a new blank baseline file."
mkdir empty-dir
detect-secrets scan empty-dir > .secrets.baseline
echo "✅ Blank .secrets.baseline file created successfully."
rm -r empty-dir
else
echo "✅ Existing .secrets.baseline file detected. No new baseline file will be created."
fi
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Touch does exactly that. If it's not there, it creates an empty file.
You may want to use >>
so if a file exists it doesn't replace its contents with an empty file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You may want to use
>>
so if a file exists it doesn't replace its contents with an empty file.
I have a clarification.
To run detect-secrets for the new secret successfully,
detect-secrets scan --baseline .secrets.new --exclude-files '.secrets.' --exclude-files '.git'
the baseline file should not be entirely empty but should contain some information, even if no secrets are detected. Here's an example of the required format for the baseline file:
And, this format of the content generated can vary based on the version of detect-secrets. So I use this command to help with the compatibility
detect-secrets scan empty-dir > .secrets.baseline
My solution uses if-else
approach to determine whether we need to create the "initial" baseline file. And even though the file got created by the GitHub Action server, the change is not committed, so it will not affect the project code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @perryzjc - thanks for getting the GitHub Action going. Working now in my test run! Though please see two suggestions below:
Suggestions:
- The sample workflow file mentioned in your Usage section does not work as-is for me. I received an invalid workflow file exception (see here and here). I had to remove the "description" and the "branding" parameters to get it to work. Can you resolve this?
- I'm not clear on the "Use latest version" button of your GH action page and how your action will support inline use within the "steps" section of a GitHub workflow file. Seems like the way you have it configured, your GitHub action can only work as a single workflow file, and not within a workflow file that contains multiple steps. Might be good to clarify that in the description of your GitHub action.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note @perryzjc - I've proposed a PR to resolve #1 above: perryzjc/detect-secrets-action#1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After chatting with @perryzjc - let's go forth with reverting to the previous GitHub Action strategy, namely: embedding the Workflow file contents inline into this documentation for users to copy/paster. The GH marketplace strategy is complicated and will require more investigation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Co-authored-by: Rishi Verma <[email protected]>
Resolve this conversation: NASA-AMMOS#95 (comment)
Co-authored-by: Rishi Verma <[email protected]>
I also have some updates on my findings about the "bug" discussed in my meeting with @riverma BackgroundBelow are the cases we discussed during the meeting. Rishi and I both got the same results for each case. 1. Three secret types (one built-in plugin, two my custom plugins)built-in plugin:
my custom plugins:
sample file:
After running command
the baseline file only showed two results (supposed to show all three) from my custom plugin: 2. Two secret types (one built-in plugin, one my custom plugins)built-in plugin:
my custom plugins:
sample file:
After running the same command, 3. One secret type (one built-in plugin)built-in plugin:
sample file:
After running the same command, ThoughtsDuring the meeting, we thought the "bug" came from my custom plugins based on the above results. More tests4. Two secret types (two built-in plugins)built-in plugin:
sample file:
After running the same command, 5. Two secret types (one built-in plugin and one custom plugin)built-in plugin:
my custom plugins:
sample file:
After running the same command, 6. Two secret types (one built-in plugin and one custom plugin)built-in plugin:
my custom plugins:
sample file:
After running the same command, Assumption and ConclusionBased on further tests 5 and 6, It can probably be a bug from the official 'Yelp/detect-secrets` or a feature. Although this "bug" exists at the moment, |
To resolve this conversation: NASA-AMMOS#95 (comment)
Great analysis @perryzjc! This clarifies some unexpected behavior (we think) from detect secrets. Not too worried, since this is only relevant to a single file, and resolving one of the secrets in code should make the other plugins catch other secrets within the same file. However, this discussion is great to point developers at detect secrets to, for clarification whether a bug ticket should be filed. |
As mentioned in [this comment](NASA-AMMOS/slim#95 (comment)), the two lines cause failures.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work @perryzjc - if you can make the GH action fix described in the comments, this is good to merge from my side.
Refer to this conversation: NASA-AMMOS#95 (comment)
Co-authored-by: Rishi Verma <[email protected]>
Co-authored-by: Rishi Verma <[email protected]>
Co-authored-by: Rishi Verma <[email protected]>
Co-authored-by: Rishi Verma <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@perryzjc - just re-tested the GitHub Action, and it works great! Just as expected, it was able to find secrets and after removing them it was able to let the commit proceed.
You've done a fantastic job here. Congratulations! LGTM and +1 for merge.
Timely delivery is meaningful. Some changes addressed concerns. More changes wouldn't be constructive at this moment.
+1 Let's merge this PR... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's merge this project. It looks great and is a very meaningful contribution to our documentation stack.
Thank you @perryzjc!
Approved by @riverma and @jpl-jengelke. Merging. |
Recently discovered a rendering issue with respect to #95. Resolving with the use of an in line image.
Purpose
Proposed Changes
detect-secrets
under Static Application Security Testing section ofcontinuous-testing/starter-kits/README.md
Issues
Testing
UnableToReadBaselineError
. When I use the default Yelp/detect-secrets, the problem still exists. I will be further investigating this issue and open an issue ticket to Yelp/detect-secrets.Additional Notes
After discussion, I am using the forked
detect-secrets
for this documentation. Compared to the original detect-secrets from Yelp, my solution haveadditional plugins which are being reviewed by the Yelp/detect-secrets community. There are two pull requests for my customized plugins
Other plugins are experimental version for now, and I will be further developing in the next two weeks and have them reviewed.
Once all the plugins are reviewed and merged to the Yelp/detect-secrets, I will update the documentation to use the original Yelp/detect-secrets.
Check out the documentation for more details :)