A developer-friendly secrets detection tool for CI and pre-commit hooks
detect-secrets npm package is a Node.js-based wrapper for Yelp's detect-secrets tool that aims to provide an accessible and developer-friendly method of introducing secrets detection in pre-commit hooks.
Yelp's detect-secrets is based on Python and requires explicit installation from developers. Moreover, its installation may be challenging in different operating systems.
detect-secrets aims to alleviate this challenge by:
- Attempt to locate Yelp's detect-secrets tool, and if it exists in the path to execute it.
If it fails it continues to:
- Attempt to locate the docker binary and if it exists it will download and execute the docker container for lirantal/detect-secrets which has Yelp's detect-secrets inside the image.
If this fails as well:
- Exit with a warning message
The above described fallback strategy is used to find an available method of executing the detect-secrets tool to protect the developer from leaking secrets into source code control.
npm install --save detect-secrets
This will expose
detect-secrets-launcher Node.js executable file.
Another way to invoke it is with npx which will download and execute the detect-secrets wrapper on the fly:
npx detect-secrets [arguments]
If you're using
husky to manage pre-commit hooks configuration, then enabling secrets detection is as simple as adding another hook entry.
"husky":"hooks":"pre-commit": "detect-secrets-launcher src/*"
If you're using
lint-staged to manage pre-commit hooks configuration and running static code analysis on staged files, then enabling secrets detection is as simple as adding another lint-staged entry.
A typical setup will look like this as an example:
"husky":"hooks":"pre-commit": "lint-staged""lint-staged":"linters":"**/*.js":"detect-secrets-launcher --baseline .secrets-baseline"
If you're not using a baseline file (it is created using Yelp's server-side detect-secrets tool) then you can simply omit this out and keep it as simple as
To scan the
index.js file within a repository for the potential of leaked secrets inside it run the following:
index.js has to be staged and versioned control. Any other plain file that is not known to git will not be scanned.
Please consult CONTIRBUTING for guidelines on contributing to this project.