Intial commit - empty repo
-
Initial setup
detect-secrets scan >.secrets.baseline git add .secrets.baseline -
Commit
secret.conffails as expected. (overridden with "SKIP=detect-secrets git commit" -
Add another secret to
secret.conf, but use 2 forms of inline Allowlisting.detect-secretsdoes not hinder the commit. -
Add secrets to a json file, which does not support comments. First way, just add to baseline:
git add secret.json git commit # fails detect-secrets scan >.secrets.baseline git commit # succeeds
-
Better than just adding to baseline is to use the
auditfunctionality to document the inclusion was intentional. (And not just an add-to-baseline to get the warning to go away.)detect-secrets audit .secrets.baseline git add --update git commit # succeeds -
Once you've audited secrets, you'll find that if you change line numbers in the file, your first commit attempt will show changes made.
# add property to secret.json git add --update git commit # fails Detect secrets...........................................................Failed - hook id: detect-secrets - exit code: 3 - files were modified by this hook The baseline file was updated. Probably to keep line numbers of secrets up-to-date. Please `git add .secrets.baseline`, thank you. # if you want, verify the changes git diff .secrets.baseline # see that only `line_number` & `generated_at` properties are changed git add --update git commit # succeeds
-
If you have files that contain only hashes, but no secrets (such as dependency lock files), you can add those files to your
detect-secretsconfiguration in the.pre-commit-config.yamlfile as described here (at the end of the section).