As a further enhancement to our Jenkins pipelines, we can integrate use of the Secrets Detection tool to monitor any commits that might include sensitive information such as credentials, hostnames, or IP addresses.
Rather than integrate usage as a git pre-commit hook, I would like it to become an additional stage in our build/test pipeline to track branches to be merged.
detect-secrets works by comparing a .secrets.baseline file it creates with a pre-existing version within the repo, so the first step will be to use detect-secrets to generate the initial version of the file, and commit it to the working branch. From there, if subsequent execution of detect-secrets from the CI pipeline results in an updated version of .secrets.baseline, the pipeline stage should fail and print a notification message that .secrets.baseline needs to be examined and recommitted to the working branch. Otherwise, the stage should pass.
Checked for duplicates
Yes - I've already checked
Alternatives considered
Yes - and alternatives don't suffice
Related problems
As a further enhancement to our Jenkins pipelines, we can integrate use of the Secrets Detection tool to monitor any commits that might include sensitive information such as credentials, hostnames, or IP addresses.
A good description of the
detect-secrets
tool (already installed on OPERA test machines) can be found here: https://riverma.github.io/slim/docs/guides/software-lifecycle/security/secrets-detection/Describe the feature request
Rather than integrate usage as a git pre-commit hook, I would like it to become an additional stage in our build/test pipeline to track branches to be merged.
detect-secrets
works by comparing a.secrets.baseline
file it creates with a pre-existing version within the repo, so the first step will be to usedetect-secrets
to generate the initial version of the file, and commit it to the working branch. From there, if subsequent execution ofdetect-secrets
from the CI pipeline results in an updated version of.secrets.baseline
, the pipeline stage should fail and print a notification message that.secrets.baseline
needs to be examined and recommitted to the working branch. Otherwise, the stage should pass.