Added detect-secrets through pre-commit package#89
Added detect-secrets through pre-commit package#89eklee15 wants to merge 3 commits intoqiskit-community:mainfrom
Conversation
|
Edit: It looks like this detect-secrets is not actively maintained? I see there are other forks of it, one even by IBM: Should we switch? are there alternatives? |
| ---- | ||
|
|
||
| ### Pre-commit detect-secrets | ||
| `detect-secrets` is an open-source, developer-friendly tool designed to scan |
There was a problem hiding this comment.
could you add to the docs how to run pre-commit manually?
pre-commit run --all-files
for example.
We could also include instructions on how to push without
git commit --no-verify
but perhaps we shouldn't encourage it.
| @@ -0,0 +1,8 @@ | |||
| repos: | |||
There was a problem hiding this comment.
OK for me to use pre-commit.
I was actually considering setting up up for some forced formatting too.
| @@ -0,0 +1,8 @@ | |||
| repos: | |||
There was a problem hiding this comment.
Should we consider adding this to the CI/CD pipeline?
There was a problem hiding this comment.
I've talked to some of the developers who have used detect-secrets before, and they have noted that detect-secrets occasionally triggers false positives that can be "annoying" for the developers. Once forced, they might have more issues if they did not follow our instructions to install/use detect-secret correctly (maintenance overhead).
So we could keep this as an option, but I would suggest adding a GitHub Actions workflow to serve as a secondary sanity check for the repository - as this process will be executed at the server side, this would be "remediation," rather than the "prevention" method, ensuring our main branch remains "secret free".
Please find the discussion in this issue #85 in the Describe the solution you’d like section.
If agreed, I will create another PR to enforce this mechanism on GHA workflow.
Please let me know what you think.
|
Looks good to me overall. The main thing I’d still want is CI enforcement, so the check is applied consistently and not only when someone has the hook installed locally. Aside from that, it may be worth documenting how .secrets.baseline should be refreshed and maintained over time. |
@awennersteen I would like to go with the Yelp version because the IBM version flagged a larger number of false positives (75 vs 31), which could become a friction point for developers. Additionally, using the Yelp version keeps this repository vendor-neutral rather than IBM-specific. Of course, we would use |
@OkuyanBoga I've added this commit (be9b7bf) to handle false-positive in development time, and how to update the |
3 participants
Description of Change
PR related to this issue (#85)
README.md.pre-commit-config.yamlin order to enable "detect-secrets".secrets.baselineto baseline existing secrets identified by detect-secrets. This baseline has been manually audited, assuming there are no existing secrets in our repo; subsequent scans will now focus exclusively on new potential secret leaks.Checklist ✅
Ticket