README
Secret Squirrel
This is like AWS's git-secrets but better.
npm install --save-dev @financial-times/secret-squirrel husky
(Note that the above command also installs husky
. It's a tool that lets you manage git hooks. https://github.com/typicode/husky)
Next, add the secret-squirrel
precommit hook as a script in package.json
.
"scripts": {
"precommit": "secret-squirrel"
}
Note: If you're in Next, we recommend linting on commit and unit testing on push:
"scripts": {
"precommit": "make verify -j3 && secret-squirrel",
"prepush": "make unit-test"
}
That's it. From this point on, you can't commit any code that breaks the rules.
$ git commit
running bin/pre-commit.js script
executing task "secret-squirrel"
server/search.js:5:fetch(url, { headers: { x-api-key: 'a69c65f3-0db7...' } })
DENIED FILES
.env
DENIED STRINGS
file: server/search.js
line number: 5
full line: fetch(url, { headers: { x-api-key: 'a69c65f3-0db7...' } })
deny match: a69c65f3-0db7...
deny rule: [a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}
Error: denied strings found
*** WARNING!!!! ***
Resolve the above. For any potential secrets found, remove them from the code, allow them in project's secret-squirrel.js, or tweak the global rules in https://github.com/Financial-Times/secret-squirrel/blob/master/global-rules.js
We are removing the files from the commit if added
Protip: run `secret-squirrel init` to autogenerate the config with the matches for you to thoroughly check before committing to Git B)
Any problems, please contact the Enabling Technologies Group (#etg)
*******************
pre-commit You've failed to pass all the hooks.
You cannot. Facepalm.
Can I add project-specific rules?
You can! Ask Secret Squirrel to autogenerate a config with any secrets it finds for you to thoroughly check & adjust before committing to Git:
secret-squirrel init
N.B: This command will always create a config file with .cjs
extension and the reason for that is to avoid any future issues that may arise due to migrating your project from CommonJS to ES modules or vice versa.
Look in global rules for some inspiration. You do not need to specify the starting (^
), ending ($
) or boundary (\b
) because Secret Squirrel already adds them.
Protip: do not commit the config if it contains actual secrets (!)
What are the global rules?
See the global rules. Want changes? Please submit a PR and ask in #etg for someone to approve.
Credit to Adam Braimbridge for coming up with the Secret Squirrel name