detect-secrets icon indicating copy to clipboard operation
detect-secrets copied to clipboard

Published 20 hours ago verified publisher icon Yelp

add `verify` cli option to verify secrets post-hoc

Open domanchi opened this issue 4 years ago • 0 comments

This is spawned from https://github.com/Yelp/detect-secrets/issues/153#issuecomment-504284806

Summary

We want to add a detect-secrets verify option so that already created baselines is able to verify their discovered secrets (without needing to scan the codebase again). It would look something like this:

$ cat .secrets.baseline
...
  "results": [
    ...
    {
      "type": "AWS Access Key",
      "filename": "scripts/run_performance_tests.py",
      "hashed_secret": "874e6e498dcfe2ad53452e2b12ec336fca465408",
      "is_verified": false,
      "line_number": 202
    },
    ...
  ]

$ detect-secrets verify .secrets.baseline
$ cat .secrets.baseline | grep '874e6e498dcfe2ad53452e2b12ec336fca465408'

This won't find any results, since the verify command will assume the verification status is as if set by the --only-verified flag in detect-secrets scan.

However, it's currently unclear whether this feature is desired. We will leave it up to the community to decide: if you encounter the need for this feature, please drop a 👍 to this issue, and if there's enough community support for it, we will add this.

domanchi avatar Nov 17 '20 15:11 domanchi