Before creating / modifying any GitHub Actions workflow make sure you’re familiar with . Pay special attention to:
In this page we are also providing guidance on how to setup common tooling related to security.
It is far too easy to accidentally leak secrets on public repositories by inadvertently committing them in variables or configuration files after just doing a quick test during development.
To prevent this kind of issues, it’s highly suggested to integrate a solution like Yelp/detect-secrets in the standard development workflow.
As a prerequisite,
install the
detect-secrets
CLI.
The first step is to create the secrets baseline, that is just a JSON file holding all the settings and references all the potential secrets that have been detected in your codebase with:
detect-secrets scan > .secrets.baseline
git add .secrets.baseline
Then you can start auditing all the detected secrets in your codebase with:
detect-secrets audit .secrets.baseline
For each detected secret, it will ask you if that secret is really meant to be present in the codebase or not:
is_secret
field will be false
)is_secret
field will be true
)Marking each detection as a secret or not is just to make everyone aware that a secret is meant to be there or if an issue that needs to be solved. If you have many non-secrets that get detected but follows a certain pattern, read the exclusion via regex section before proceeding.
At this point you can commit the baseline:
git add .secrets.baseline
git commit -m 'detect-secrets baseline initialized'
Last step is to enable the pre-commit
hook in your .pre-commit-config.yaml
that will warn when one or more secrets not already present in the baseline are
detected:
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets
args: ["--baseline", ".secrets.baseline"]
To update the current baseline with any new secret or to automatically remove the ones not anymore present:
detect-secrets scan --baseline .secrets.baseline
if you have recently updated detect-secrets, you may want to opt-in for new plugins with
--force-use-all-plugins
Run a diff to make sure that everything you expect is there and proceed with auditing and finally committing the update:
git diff
detect-secrets audit .secrets.baseline
git add .secrets.baseline
git commit -m 'detect-secrets baseline updated'
It’s possible to provide to detect-secrets scan
different exclude
regex patterns if you have a lot of false positive that you don’t want to
handle on an individual basis:
--exclude-lines EXCLUDE_LINES
If lines match this regex, it will be ignored.
--exclude-files EXCLUDE_FILES
If filenames match this regex, it will be ignored.
--exclude-secrets EXCLUDE_SECRETS
If secrets match this regex, it will be ignored.
For example, to exclude all files with xyz extension or which path is inside a
node_modules
folder:
detect-secrets scan --baseline .secrets.baseline --exclude-files '.*\.yml' --exclude-files 'node_modules'
For example, to exclude a dummy/default password that is ok to use:
detect-secrets scan --baseline .secrets.baseline --exclude-secrets 'MyDefaultPassword'
You can check if exclusion are working as expected by inspecting the resulting baseline that should not have anymore references to secrets that are matching at least one exclusion regex.
git diff
git add .secrets.baseline
git commit -m 'Excluding unwanted files in the baseline'
Please also note that when those options are present, they overwrite any
previously defined exclusion of the same type in the baseline, i.e. if you want
to append an exclusion pattern you need to manually specify again all of them
when running detect-secrets scan
.