Added detect-secret pre-commit hook

umarali-nagoor · umarali-nagoor · commit ec995bd767ac · 2021-10-12T18:36:33.000+05:30
diff --git a/.github/workflows/validate_terraform.yml b/.github/workflows/validate_terraform.yml
@@ -25,6 +25,9 @@ jobs:
       -
         name: Install pre-commit
         run: pip install pre-commit
+      -
+        name: Upgrade hooks
+        run: pre-commit autoupdate
       -
         name: Run pre-commit command
         run: pre-commit run -a
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -6,12 +6,26 @@ default_stages: [commit]
 # Terraform Validate : Validates the configuration files in a directory, referring only to the configuration and not accessing any remote services such as remote state, provider APIs, etc
 repos:
 - repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.45.0
+  rev: v1.52.0
   hooks:
     - id: terraform_fmt
 - repo: git://github.com/pre-commit/pre-commit-hooks
-  rev: v3.4.0
+  rev: v4.0.1
   hooks:
       - id: check-merge-conflict
       - id: trailing-whitespace
       - id: detect-private-key
+- repo: https://github.com/ibm/detect-secrets
+  # If you desire to use a specific version of detect-secrets, you can replace `master` with other git revisions such as branch, tag or commit sha.
+  # You are encouraged to use static refs such as tags, instead of branch name
+  #
+  # Running "pre-commit autoupdate" would automatically updates rev to latest tag
+  rev: 0.13.1+ibm.46.dss
+  hooks:
+    - id: detect-secrets # pragma: whitelist secret
+      # Add options for detect-secrets-hook binary. You can run `detect-secrets-hook --help` to list out all possible options.
+      # You may also run `pre-commit run detect-secrets` to preview the scan result.
+      # when "--baseline" without "--use-all-plugins", pre-commit scan with just plugins in baseline file
+      # when "--baseline" with "--use-all-plugins", pre-commit scan with all available plugins
+      # add "--fail-on-non-audited" to fail pre-commit for unaudited potential secrets
+      args: [--baseline, .secrets.baseline, --use-all-plugins ]
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -0,0 +1,85 @@
+{
+  "exclude": {
+    "files": "^.secrets.baseline$",
+    "lines": null
+  },
+  "generated_at": "2021-10-12T12:36:29Z",
+  "plugins_used": [
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "base64_limit": 4.5,
+      "name": "Base64HighEntropyString"
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "BoxDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "ghe_instance": "github.ibm.com",
+      "name": "GheDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "hex_limit": 3,
+      "name": "HexHighEntropyString"
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "keyword_exclude": null,
+      "name": "KeywordDetector"
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "results": {},
+  "version": "0.13.1+ibm.46.dss",
+  "word_list": {
+    "file": null,
+    "hash": null
+  }
+}
diff --git a/README.md b/README.md
@@ -119,16 +119,45 @@ Be sure you have the compiled plugins on $HOME/.terraform.d/plugins/
 ### Pre-commit Hooks
 
 Run the following command to execute the pre-commit hooks defined in .pre-commit-config.yaml file
-
+```
 pre-commit run -a
+```
 
 We can install pre-coomit tool using
 
+```
 pip install pre-commit
 
       or
 
 pip3 install pre-commit
+```
+
+### Detect Secret Hook
+
+Used to detect secrets within a code base. 
+
+To create a secret baseline file run following command
+
+```
+detect-secrets scan --update .secrets.baseline
+```
+
+While running the pre-commit hook, if you encounter an error like
+
+```
+WARNING: You are running an outdated version of detect-secrets.
+Your version: 0.13.1+ibm.27.dss
+Latest version: 0.13.1+ibm.46.dss
+See upgrade guide at https://ibm.biz/detect-secrets-how-to-upgrade
+```
+
+run below command
+
+```
+pre-commit autoupdate
+```
+which upgrades all the pre-commit hooks present in .pre-commit.yaml file.
 
 ## How to input varaible values through a file
 

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,9 @@ jobs:`
`25`	`25`	`-`
`26`	`26`	`name: Install pre-commit`
`27`	`27`	`run: pip install pre-commit`
	`28`	`+ -`
	`29`	`+ name: Upgrade hooks`
	`30`	`+ run: pre-commit autoupdate`
`28`	`31`	`-`
`29`	`32`	`name: Run pre-commit command`
`30`	`33`	`run: pre-commit run -a`