Plugin for PyPI api tokens

Yelp / detect-secrets

An enterprise friendly way of detecting and preventing secrets in code.

Apache License 2.0

3.58k stars 449 forks source link

Plugin for PyPI api tokens #819

Closed Chandra158 closed 2 months ago

Chandra158 commented 2 months ago

Please check if the PR fulfills these requirements

[x] Tests for the changes have been added
[x] Docs have been added / updated
[x] All CI checks are green

What kind of change does this PR introduce?

Feature: new plugin for PyPI tokens
Token format:

PyPI token is bound to start with: pypi-AgEIcHlwaS5vcmc[A-Za-z0-9-_]{70,} A token can be arbitrary long because we may add arbitrary many caveats.

Tests

New test added for plugin

Chandra158 commented 2 months ago

does the TestPypi token have the same format?

TestPypi has different format: pypi-AgENdGVzdC5weXBpLm9yZw[A-Za-z0-9-_]{70,}

is there a way to check the validity of the token?

This is not supported yet. (refs) There're some hacky way to do it but it'd also require other details like username in addition to the token.

lorenzodb1 commented 2 months ago

Could you add checks for Test Pypi too?

There're some hacky way to do it but it'd also require other details like username in addition to the token.

Do you think is something we could add as optional? Maybe you could add it as a configurable option for the user in the baseline file.

Chandra158 commented 2 months ago

Added a new commit for the test.pypi tokens.

Do you think is something we could add as optional? There're some hacky way t

I misunderstood pypitoken apis; this is only possible if the token is created by us. Not suitable for detect-secrets. IMO, there's no way to validate yet.