How does one run a scan against a current baseline?

[oschrenk]

I fail to see how this is possible given the CLI options available. I guessed detect-secrets scan --baseline .secrets.baseline, but it does not recognise the option.

detect-secrets scan --baseline .secrets.baseline
usage: detect-secrets [-h] [-v] [--version] {scan,audit} ...
detect-secrets: error: unrecognized arguments: --baseline

This is confirmed by detect-secrets scan --help. There is no --baseline option.

How does one run a scan against a current baseline?

---

Background:

I’m asking because I am required to use this tool, but since we also use husky I wanted to use the detect secrets CLI for easy integration - that does not seem possible.

I thought the workflow for the detect-secrets CLI would be something like:

# create initial baseline
detect-secrets scan > .secrets.baseline

# mark false/true positives
detect-secrets audit .secrets.baseline

# fix issues
git add .secrets.baseline fixed_file ...
git commit -m "Fixed secrets" 

# and then the following for subsequent runs
detect-secrets scan --baseline .secrets.baseline

But It seems that scan is only used for building the baseline and that there is a hard requirement on using the pre-commit hook to find new violations against the baseline. Is that assumption correct?

[KevinHock]

Hi @oschrenk, thanks for making this.

You are right that detect-secrets scan does not have a --baseline option. I don't think there is a good reason for this, we should probably add it, as it would be more intuitive as you point out.

We do install a detect-secrets-hook command in the CLI [1], which has the option, does that solve your desired use-case?

[1]

detect-secrets/setup.py

Line 39 in 5d3e065

'detect-secrets-hook = detect_secrets.pre_commit_hook:main',

[oschrenk]

That does help. Wasn't aware of the second script. Thanks!

[manesioz]

Hey @KevinHock! I'm running into the exact same issue (I want to integrate detect-secrets with husky) but I'm afraid detect-secrets-hook isn't working right now.

My package.json file (where husky is configured) looks like this:

...
"husky": {
    "hooks": {
      "pre-commit": "detect-secrets-hook --baseline .secrets.baseline",
      "pre-push": "npm run lint && npm run test"
    }
  },
...

However, after configuring my baseline and adding this to my repo, whenever I try to commit an obvious test secret it passes (in fact, it gives no indication that it even ran). When I run the same commit with pre-commit it fails as expected. Do you know what command I should be running?
Asides from husky, running manually, what command would I run to re-scan and fail if any new secrets are found? Thanks!

[KevinHock]

So the pre-commit framework normally passes all the file names to detect-secrets-hook, unlike detect-secrets, the hook doesn’t default to scanning “.” when given no arguments. (usage.py, if curious)

[manesioz]

I see. Is there any chance that feature might be included? Or rather, an --all-files tag? Recursively checking the files using glob is not ideal considering the directory structure may change over time. And it's probably fair to say that most people would find it easier to opt-out of scanning a few files rather than opt-in (since most people want their whole directory scanned).

[KevinHock]

So your current command looks good except something else will need to add the file names.

Technically, we could have the hook run git diff itself, given a certain flag, but that’s not something we’ve looked into.

[manesioz]

Right, so I could run something like this:

detect-secrets-hook -v --exclude-lines=".*integrity.*" --no-db2-scan --keyword-exclude=".*secret.*" ./**/**

which has the configurations I need, but I still need to run ./**/** which does not encompass my entire directory. I will look at ways around this in the meantime, but allowing users to automatically scan every file would be a very useful feature to have :)