search

pinterest / arcanist-linters

A collection of custom Arcanist linters
Apache License 2.0
62 stars 45 forks source link

Add detect-secrets (open source repo from Yelp) to pinterest linters #46

Closed uditgpt5 closed 3 years ago

uditgpt5 commented 3 years ago

Yelp released an open source repo (https://github.com/Yelp/detect-secrets) which is used to detect potential secrets in code base. Adding this open source repo as part of pinterest linters will allow us to prevent users from committing secrets in Phabricator.

uditgpt5 commented 3 years ago

@jparise detect-secrets gives output in following format: "/home/uditgupta/code/pinboard/api/handlers/v3/login_handlers.py": [ { "hashed_secret": "e80b685c2cea92fe1970765ab5efcfdd5115hif5", "is_verified": false, "line_number": 76, "type": "Secret Keyword" } ] As you can see it gives information about line number so that it'll be easier for developers to fix.

jparise commented 3 years ago

@jparise detect-secrets gives output in following format: "/home/uditgupta/code/pinboard/api/handlers/v3/login_handlers.py": [ { "hashed_secret": "e80b685c2cea92fe1970765ab5efcfdd5115hif5", "is_verified": false, "line_number": 76, "type": "Secret Keyword" } ] As you can see it gives information about line number so that it'll be easier for developers to fix.

Oh good! That should be easy to parse (as JSON) using $json = json_decode($string, true). You can then extract the line_number value and set it using $message->setLine().

uditgpt5 commented 3 years ago

@jparise changes parsing logic to make it more short and crisp. Here's the sample output:

Looks like you are about to commit secrets to this repo. Please avoid this practice

Possible mitigations:
1. For information about putting your secrets in a safer place, please
refer pinch/knox 
2. If secret has already been committed please rotate that secret. If
rotation is taking significant time then please contact #security_related
slack channel
3. If its a test file with secrets (not belonging to any prod service)
mark false positives with an inline `pragma: allowlist secret` comment

{"hashed_secret":"dcac4032617d96b26e5b4ae626ee69be1c2ed481","is_verified":false,"line_number":15,"type":"Secret
Keyword"}

>>>       15 SECRET = 'secret'
            ^
          16 
          17 
          18 class <ClassName>(TestJob):
uditgpt5 commented 3 years ago

@jparise we want to make error message more specific otherwise users will get confused on what needs to be done. At the same time we want to deploy this linter to as many repos as possible.