[New Feature]: Integrate Secrets Detection with CI/CD Pipelines
Closed this issue · 1 comments
Checked for duplicates
Yes - I've already checked
Alternatives considered
Yes - and alternatives don't suffice
Related problems
As a further enhancement to our Jenkins pipelines, we can integrate use of the Secrets Detection tool to monitor any commits that might include sensitive information such as credentials, hostnames, or IP addresses.
A good description of the detect-secrets
tool (already installed on OPERA test machines) can be found here: https://riverma.github.io/slim/docs/guides/software-lifecycle/security/secrets-detection/
Describe the feature request
Rather than integrate usage as a git pre-commit hook, I would like it to become an additional stage in our build/test pipeline to track branches to be merged.
detect-secrets
works by comparing a .secrets.baseline
file it creates with a pre-existing version within the repo, so the first step will be to use detect-secrets
to generate the initial version of the file, and commit it to the working branch. From there, if subsequent execution of detect-secrets
from the CI pipeline results in an updated version of .secrets.baseline
, the pipeline stage should fail and print a notification message that .secrets.baseline
needs to be examined and recommitted to the working branch. Otherwise, the stage should pass.
Closed by #481