As a further enhancement to our Jenkins pipelines, we can integrate use of the Secrets Detection tool to monitor any commits that might include sensitive information such as credentials, hostnames, or IP addresses.
Rather than integrate usage as a git pre-commit hook, I would like it to become an additional stage in our build/test pipeline to track branches to be merged.
detect-secrets works by comparing a .secrets.baseline file it creates with a pre-existing version within the repo, so the first step will be to use detect-secrets to generate the initial version of the file, and commit it to the working branch. From there, if subsequent execution of detect-secrets from the CI pipeline results in an updated version of .secrets.baseline, the pipeline stage should fail and print a notification message that .secrets.baseline needs to be examined and recommitted to the working branch. Otherwise, the stage should pass.
collinss-jpl
commented
1 month ago
Checked for duplicates
Yes - I've already checked
Alternatives considered
Yes - and alternatives don't suffice
Related problems
As a further enhancement to our Jenkins pipelines, we can integrate use of the Secrets Detection tool to monitor any commits that might include sensitive information such as credentials, hostnames, or IP addresses.
A good description of the
detect-secretstool (already installed on OPERA test machines) can be found here: https://riverma.github.io/slim/docs/guides/software-lifecycle/security/secrets-detection/Describe the feature request
Rather than integrate usage as a git pre-commit hook, I would like it to become an additional stage in our build/test pipeline to track branches to be merged.
detect-secretsworks by comparing a.secrets.baselinefile it creates with a pre-existing version within the repo, so the first step will be to usedetect-secretsto generate the initial version of the file, and commit it to the working branch. From there, if subsequent execution ofdetect-secretsfrom the CI pipeline results in an updated version of.secrets.baseline, the pipeline stage should fail and print a notification message that.secrets.baselineneeds to be examined and recommitted to the working branch. Otherwise, the stage should pass.