Secret Squirrel
This is like AWS's git-secrets but better.
Navigation
Getting Started
To add Secret Squirrel to your project run:
npm install --save-dev @financial-times/secret-squirrel husky(Note that the above command also installs husky. It's a tool that lets you manage git hooks. https://github.com/typicode/husky)
Next, add the secret-squirrel precommit hook as a script in package.json.
"scripts": {
"precommit": "secret-squirrel"
}Note: If you're in Next, we recommend linting on commit and unit testing on push:
"scripts": {
"precommit": "make verify -j3 && secret-squirrel",
"prepush": "make unit-test"
}That's it. From this point on, you can't commit any code that breaks the rules.
$ git commit
running bin/pre-commit.js script
executing task "secret-squirrel"
server/search.js:5:fetch(url, { headers: { x-api-key: 'a69c65f3-0db7...' } })
DENIED FILES
.env
DENIED STRINGS
file: server/search.js
line number: 5
full line: fetch(url, { headers: { x-api-key: 'a69c65f3-0db7...' } })
deny match: a69c65f3-0db7...
deny rule: [a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}
Error: denied strings found
*** WARNING!!!! ***
"Resolve the above. For any potential secrets found, remove them from the code, allow them in project's secret-squirrel.cjs, or tweak the global rules in https://github.com/Financial-Times/secret-squirrel/blob/master/global-rules.js
We are removing the files from the commit if added
Protip: run `secret-squirrel init` to autogenerate the config with the matches for you to thoroughly check before committing to Git B)
Any problems, please contact the Enabling Technologies Group (#etg)"
*******************
"pre-commit You've failed to pass all the hooks."You cannot. Facepalm.
Can I add project-specific rules?
You can! Ask Secret Squirrel to autogenerate a config with any secrets it finds for you to thoroughly check & adjust before committing to Git:
secret-squirrel initN.B: This command will always create a config file with .cjs extension and the reason for that is to avoid any future issues that may arise due to migrating your project from CommonJS to ES modules or vice versa.
Look in global rules for some inspiration. You do not need to specify the starting (^), ending ($) or boundary (\b) because Secret Squirrel already adds them.
Protip: do not commit the config if it contains actual secrets (!)
What are the global rules?
See the global rules. Want changes? Please submit a PR and ask in #etg for someone to approve.
Credit to Adam Braimbridge for coming up with the Secret Squirrel name
Local Development
Prerequisites
Ensure you have the following tools and libraries installed:
- git & make - see our Mac Setup Guide
- nodejs@14
- npm@6
- Access to our local domain
Installation & Configuration
Execute the following commands to clone the repo, install dependencies and configure a local copy of the application:
$ git clone git@github.com:Financial-Times/secret-squirrel.git
$ cd secret-squirrel
make install // To install the dependenciesEnsure you always create a new branch which is named after the ticket you are working on.
Testing
To confirm the application runs as expected, you can execute a test pack via the following command:
make testCoding Standards
We drive secure maintainable code through the use of ESlint, Prettier and Snyk via regular execution of the following commands:
make verify # Apply code formatting and highlight syntax errors
snyk wizard # Check for and correct security vulnerabilitiesCommits and Pull Requests
Commit frequently to enable early visibility of your code for pairing and formal review.
Every git code push will confirm adherence to coding standards by running the verify and command mentioned above.
Any failures must be corrected before the code will be applied to the repository.
If you need to share any incomplete/incorrect code you may use the git --no-verify option during code push to temporarily bypass the checks.
Deploying the application
After merging to main add a semver tag in order to release to production. Other tags or tags missing the v prefix will not cause a deployment.
This should be done through Github releases!