@financial-times/secret-squirrel

This is like AWS's git-secrets but better.

Usage no npm install needed!

<script type="module">
  import financialTimesSecretSquirrel from 'https://cdn.skypack.dev/@financial-times/secret-squirrel';
</script>

README

Secret Squirrel

Secret Squirrel

This is like AWS's git-secrets but better.

npm install --save-dev @financial-times/secret-squirrel husky

(Note that the above command also installs husky. It's a tool that lets you manage git hooks. https://github.com/typicode/husky)

Next, add the secret-squirrel precommit hook as a script in package.json.

    "scripts": {
        "precommit": "secret-squirrel"
    }

Note: If you're in Next, we recommend linting on commit and unit testing on push:

    "scripts": {
        "precommit": "make verify -j3 && secret-squirrel",
        "prepush": "make unit-test"
    }

That's it. From this point on, you can't commit any code that breaks the rules.

$ git commit
running bin/pre-commit.js script
executing task "secret-squirrel"

server/search.js:5:fetch(url, { headers: { x-api-key: 'a69c65f3-0db7...' } })

DENIED FILES

.env

DENIED STRINGS

file: server/search.js
line number: 5
full line: fetch(url, { headers: { x-api-key: 'a69c65f3-0db7...' } })
deny match: a69c65f3-0db7...
deny rule: [a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}

Error: denied strings found

*** WARNING!!!! ***

Resolve the above. For any potential secrets found, remove them from the code, allow them in project's secret-squirrel.js, or tweak the global rules in https://github.com/Financial-Times/secret-squirrel/blob/master/global-rules.js

We are removing the files from the commit if added

Protip: run `secret-squirrel init` to autogenerate the config with the matches for you to thoroughly check before committing to Git B)

Any problems, please contact the Enabling Technologies Group (#etg)

*******************

pre-commit You've failed to pass all the hooks.

You cannot. Facepalm.

Teddy bear doing a facepalm

Can I add project-specific rules?

You can! Ask Secret Squirrel to autogenerate a config with any secrets it finds for you to thoroughly check & adjust before committing to Git:

secret-squirrel init

N.B: This command will always create a config file with .cjs extension and the reason for that is to avoid any future issues that may arise due to migrating your project from CommonJS to ES modules or vice versa.

Look in global rules for some inspiration. You do not need to specify the starting (^), ending ($) or boundary (\b) because Secret Squirrel already adds them.

Protip: do not commit the config if it contains actual secrets (!)

What are the global rules?

See the global rules. Want changes? Please submit a PR and ask in #etg for someone to approve.

Credit to Adam Braimbridge for coming up with the Secret Squirrel name