Skip to content
Snippets Groups Projects
Select Git revision
  • master protected
  • develop default protected
  • add-java-build-server
  • add-museum-reservations-server
  • update-mr-approval
  • php-soap
  • add-zaproxy-container
  • 16-update-dependency-check-to-v6-0-3
  • 15-detect-secrets-does-not-detect-secrets-in-subdirectories
9 results

Detect-Secrets.md

Blame
    • Detect-Secrets.md 1.48 KiB 
    # Secrets detection example

    Parameters

    Argument Description
    -s Scans the current directory
    -e value Entropy threshold (allowed randomness); Default value 4

    Detects secrets in the current project

    • One 'analysis' stage with one job
    • Allows the job to fail without impacting the rest of the CI (allow_failure: true)
    stages:
  - analysis 
variables:
  stage: analysis
  tags:
    - docker
  script:
    - docker run --rm -v "${PWD}:/work" -w /work its-registry.unl.edu/unl-its/docker-ci/detect-secrets -s -e 4.5
  allow_failure: true

    Inline Allowlisting

    To tell detect-secrets to ignore a particular line of code, simply append an inline pragma: allowlist secret comment. For example:

    API_KEY = "blah-blah-but-actually-not-secret"  # pragma: allowlist secret  
print('hello world')

    Inline commenting syntax for a multitude of languages is supported:

    Comment Style Language Support
    # e.g. Python, Dockerfile, YAML
    // e.g. Go, C++, Java
    /* */ e.g. C, Java
    ' e.g. Visual Basic .NET
    -- e.g. SQL, Haskell
    <!-- --!> e.g. XML

    This may be a convenient way for you to allowlist secrets, without having to regenerate the entire baseline again. Furthermore, this makes the allowlisted secrets easily searchable, auditable, and maintainable.

    source