I decided to make the blog repository public to allow writing comments. To do it, I scanned my repo using two programs.
detect-secrets
detect-secrets detects secrets within a code base however, unlike other similar packages that solely focus on finding secrets, this package is designed with the enterprise client in mind: providing a backwards compatible, systematic means of:
- Preventing new secrets from entering the code base,
- Detecting if such preventions are explicitly bypassed, and
- Providing a checklist of secrets to roll, and migrate off to a more secure storage.
to install
brew install detect-secrets
to use
# create base line
detect-secrets scan > .secrets.baseline
# review secrets
detect-secrets audit .secrets.baseline
Output
Secret: 5 of 5
Filename: content/blog/zerolog-trace-id-access-log/index.md
Secret Type: Hex High Entropy String
----------
123: "TraceState": "",
124: "Remote": false
125: },
126: "Parent": {
127: "TraceID": "5fdc14f10cb4c2d1f253f853c16162e7",
128: "SpanID": "47e1ebf518ef9e7d",
129: "TraceFlags": "01",
130: "TraceState": "",
131: "Remote": false
132: },
133: "SpanKind": 1,
----------
gitleaks
gitleaks is another tool for the same job. Gitleaks is a Static application security testing tool for detecting and preventing hardcoded secrets like passwords, API keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code.
brew install gitleaks
gitleaks git -v
○
│╲
│ ○
○ ░
░ gitleaks
11:54AM INF 47 commits scanned.
11:54AM INF scan completed in 166ms
11:54AM INF no leaks found
Adding to pre-commit
Using pre-commit
is a great way to speed up finding errors before doing the commit.
# .pre-commit-config.yaml
repos:
- repo: https://github.com/Yelp/detect-secrets
rev: v1.5.0
hooks:
- id: detect-secrets
args: ['--baseline', '.secrets.baseline']
exclude: package.lock.json
- repo: https://github.com/gitleaks/gitleaks
rev: v8.19.0
hooks:
- id: gitleaks