Closed KirbyKatcher closed 4 days ago
using this to call detect-secrets in build-locally.sh
function check_secrets {
h2 "updating secrets baseline"
cd ${BASEDIR}
detect-secrets scan --update .secrets.baseline
rc=$?
check_exit_code $rc "Failed to run detect-secrets. Please check it is installed properly"
success "updated secrets file"
h2 "running audit for secrets"
detect-secrets audit .secrets.baseline
rc=$?
check_exit_code $rc "Failed to audit detect-secrets."
#Check all secrets have been audited
secrets=$(grep -c hashed_secret .secrets.baseline)
audits=$(grep -c is_secret .secrets.baseline)
if [[ "$secrets" != "$audits" ]]; then
error "Not all secrets found have been audited"
exit 1
fi
sed -i '' '/[ ]*"generated_at": ".*",/d' .secrets.baseline
success "secrets audit complete"
}
install command
pip install --upgrade "git+https://github.com/ibm/detect-secrets.git@master#egg=detect-secrets"
Story
As a Galasa developer I want to be able to commit code knowing that i have not introduced secrets into the code, so that I can ensure that my commits are clean and safe.
https://github.com/IBM/detect-secrets
Tasks