nbQA
nbQA copied to clipboard
nbQA-dev
Feature Request: Support for gitleaks (or trufflehog)
The tools gitleaks and trufflehog can catch secret keys before they're checked in in git, but they don't get triggered by secrets in notebooks.
Theoretically it would be a perfect fit for nbQA to also run (one of) these tools, once the notebooks are already converted to py files.
The only issue I can expect is that you don't install gitleaks with pip but would typically use with a container.
Related issue on the gitleaks-side, missing notebook support: https://github.com/gitleaks/gitleaks/issues/914
hi - sure, open to this if someone submits a pr and it's simple and easy to understand
I almost made it work:
- install
gitleakson your system (such asbrew install gitleakson macOS) - Then I can successfully run:
% nbqa --nbqa-shell "gitleaks dir" test_with_secret.ipynb
○
│╲
│ ○
○ ░
░ gitleaks
2:49PM INF scanned ~268 bytes (268 bytes) in 2.94ms
2:49PM WRN leaks found: 1
However, note that gitleaks doesn't (properly) accept multiple files as input (tracked in https://github.com/gitleaks/gitleaks/issues/1727 ), so the following examples will scan much more than just the listed notebooks (and might run for a very long time in a complex repo)
gitleaks dir test_with_secret.ipynb test_with_secret2.ipynb
# scans all of "."
nbqa --nbqa-shell "gitleaks dir" test_with_secret.ipynb test_with_secret2.ipynb
# scans all of "."
So, this means, that the below two pre-commits almost work, but:
- the first one only works (as intended) if there's only one notebook in staged
- the second one only works (as intended) if there's only one notebook in the whole repo
- repo: https://github.com/nbQA-dev/nbQA
rev: 1.9.1
hooks:
- id: nbqa
name: nbqa gitleaks
entry: nbqa "gitleaks dir"
args: ["--nbqa-shell"]
- repo: https://github.com/gitleaks/gitleaks
rev: v8.26.0
hooks:
- id: gitleaks
entry: nbqa --nbqa-shell "gitleaks dir"
language: golang
So probably this will be a good approach once the PR linked to the above issue get merged.