Closed maxschulz-COL closed 2 months ago
I don't understand it entirely 😅 But I think the rationale for storing the baseline file (even if it's an empty list only) was for the pentest? We had to generate it from scratch and then the question popped up if we could just store it in the repository.
@Joseph-Perkins Can you help out here?
Description
This PR closes https://github.com/McK-Internal/vizro-internal/issues/607. It is not necessary to have a baseline, because we have no secret in our public commit history. However, our command
hatch run secrets
did not work anymore, so it was updated.Details on learnings
More to remember later than anything else... This also explains why the output of
hatch run secrets
was different for different users.gitleaks
operates by scanning the diffs fromgit log -p
, which does the followingCan secrets hide somewhere else?
Yes and no. So e.g. we saw that while
gitleaks
didn't find the secret anymore (after deleting stale branches), it was still possible to checkout at the problematic commit (as we knew the sha)! This is because ofgit reflog
:Conclusion
gitleaks
operating withgit log -p
is sufficient for secret scanning. Any local divergences are either due to stale branches, or due to our local commit storereflog
.Screenshot
Notice
[x] I acknowledge and agree that, by checking this box and clicking "Submit Pull Request":