Run docker-detect-secrets in the root of a project using Husky.

Question

Run docker-detect-secrets in the root of a project using Husky.

Closed this issue 3 years ago · 5 comments

Hello there. I've been trying to implement this solution in my project using Husky but I'm having a hard time with the setup.

I know the readme says:

The current directory is assumed to be the .git root directory

But can the current directory be something different?

This is the structure of my project:

project
│   .secrets.baseline
│
└───.husky
│   │   pre-commit
│   │   commit-msg
│   
└───frontend
│   │   somefile1.js
│   │   somefile2.ts
│   │   ...
│   
└───backend
    │   somefile3.js
    │   somefile4.js

What I have in my pre-commit file is this:

#!/usr/bin/env sh
. "$(dirname -- "$0")/_/husky.sh"

npx lint-staged
docker run -it --rm --name detect-secrets --volume `pwd`:/usr/src/app lirantal/detect-secrets "*"

The npx lint-staged line is working fine but the second one:

docker run -it --rm --name detect-secrets --volume `pwd`:/usr/src/app lirantal/detect-secrets "*"

Is giving me this output:

[scan]  INFO    Skipping "*" due to `detect_secrets.filters.common.is_invalid_file`

I also tested passing a full path and also a relative path but same result:

docker run -it --rm --name detect-secrets --volume `pwd`:/usr/src/app lirantal/detect-secrets "frontend/somefile1.js"

[scan]  INFO    Skipping "frontend/somefile1.js" due to `detect_secrets.filters.common.is_invalid_file`

What am I doing wrong?

Can this project structure have this working?

I would really appreciate the help.

Versions:

Husky: 8.0.0
Docker Desktop 4.9.1

Answer 1 · 2022-07-02T22:37:54.000Z

Does this PR provide you with any help to get the configuration you need sorted out? verdaccio/verdaccio#1373

Answer 2 · 2022-07-02T22:45:00.000Z

I just tested locally on a project and seems to work fine on my end, maybe you need to pull a newer image?

docker run -it --rm --platform linux/amd64 --name detect-secrets --volume `pwd`:/usr/src/app lirantal/detect-secrets *
[scan]	INFO	Checking file: Dockerfile
[scan]	INFO	Checking file: LICENSE
[scan]	INFO	Checking file: README.md
[scan]	INFO	Checking file: app.js
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Checking file: app.json
[scan]	INFO	Checking file: deploy-heroku.md
[scan]	INFO	Checking file: docker-compose.yml

Answer 3 · 2022-07-03T01:14:12.000Z

Hey, @lirantal thanks for taking the time to answer my question!

I didn't change anything and I'm not sure why but right now I'm not getting the is_invalid_file message anymore. But I do notice something, it is working using * and isn't when using "*".

But the thing is that it's working now! Did something change?

Also, what does this mean?

[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.

I'm testing and trying to commit a JavaScript file containing a fake secret and when I try to scan it I get that output. Is that expected? Should I be worried?

Thank you!

Edit:

Okay, I get it.

heuristic.is_indirect_reference | Primarily for KeywordDetector, filters secrets like secret = get_secret_key().

My file has secrets following that secret = get_secret_key() format and that's why it gets skipped.

But what if someone puts a direct reference to a secret inside that file and it gets skipped? How can I avoid that?

Answer 4 · 2022-07-03T16:45:17.000Z

Happy to hear it's fixed and working for you :-)

About the CLI output message, you can refer to more of Yelp's repository for a more elaborate filters reference

Answer 5 · 2022-07-03T17:21:31.000Z

Will do that. Thank you so much for the help! 🙂