Skip to content

Add detect-secrets pre-commit hook and baseline#18

Merged
tsvikas merged 8 commits into
mainfrom
claude/add-detect-secrets-WCHjc
Apr 8, 2026
Merged

Add detect-secrets pre-commit hook and baseline#18
tsvikas merged 8 commits into
mainfrom
claude/add-detect-secrets-WCHjc

Conversation

@tsvikas
Copy link
Copy Markdown
Owner

@tsvikas tsvikas commented Apr 8, 2026

Summary

Integrate secret detection into the project's pre-commit hooks and initialization workflow to prevent accidental commits of sensitive credentials.

Key Changes

  • Added detect-secrets as a new security hook in the pre-commit configuration
    • Configured to validate against a .secrets.baseline file
  • Updated the project initialization script to generate the initial secrets baseline
    • Runs detect-secrets scan during just init to create .secrets.baseline
    • Automatically commits the baseline file with a security-focused commit message

Implementation Details

  • The detect-secrets hook will run on every commit to catch any new secrets before they're committed
  • The baseline file is generated during initial project setup to establish a known state of any pre-existing secrets
  • Uses uvx to run detect-secrets without requiring it as a direct project dependency

https://claude.ai/code/session_01PS6USVBi11LZAmfhotZGHU

claude added 5 commits April 8, 2026 14:43
@claude
Add detect-secrets pre-commit hook with baseline
6860318 
Add Yelp/detect-secrets v1.5.0 to the pre-commit config to prevent
new secrets from being committed. Includes a clean baseline file
generated with `detect-secrets scan`.

https://claude.ai/code/session_01PS6USVBi11LZAmfhotZGHU
@claude
Revert "Add detect-secrets pre-commit hook with baseline"
43c3346 
This reverts commit 6860318.
@claude
Add detect-secrets pre-commit hook to project template
6e670a6 
Add Yelp/detect-secrets to the generated project's pre-commit config
with baseline support. The `just init` task now generates
`.secrets.baseline` via `uvx detect-secrets scan` so the hook works
out of the box.

https://claude.ai/code/session_01PS6USVBi11LZAmfhotZGHU
@claude
Separate detect-secrets baseline into its own init commit
4f2fa07 
https://claude.ai/code/session_01PS6USVBi11LZAmfhotZGHU
@claude
Only stage .secrets.baseline in init commit
0fced22 
https://claude.ai/code/session_01PS6USVBi11LZAmfhotZGHU
sourcery-ai[bot]
sourcery-ai Bot reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown

@sourcery-ai sourcery-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • The init recipe unconditionally runs uvx detect-secrets scan > .secrets.baseline and then commits it; consider making this idempotent (e.g., only regenerating/committing when the baseline changes, and guarding the commit with a git status check) so rerunning just init doesn’t fail or clobber local updates to the baseline.
  • Running detect-secrets scan without any path or exclusion flags will scan everything under the repo; you may want to explicitly scope or exclude paths (e.g., build artifacts, virtualenvs) to avoid noise and oversized baselines.
Prompt for AI Agents 
Please address the comments from this code review:

## Overall Comments
- The `init` recipe unconditionally runs `uvx detect-secrets scan > .secrets.baseline` and then commits it; consider making this idempotent (e.g., only regenerating/committing when the baseline changes, and guarding the commit with a `git status` check) so rerunning `just init` doesn’t fail or clobber local updates to the baseline.
- Running `detect-secrets scan` without any path or exclusion flags will scan everything under the repo; you may want to explicitly scope or exclude paths (e.g., build artifacts, virtualenvs) to avoid noise and oversized baselines.
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

claude added 3 commits April 8, 2026 14:58
@claude
Fail init if detect-secrets finds secrets in initial scan
65656f2 
Prevents silently baselining real secrets during project init.

https://claude.ai/code/session_01PS6USVBi11LZAmfhotZGHU
@claude
Use detect-secrets-hook to verify no secrets before generating baseline
2b7b7bf 
Replace Python one-liner with the built-in detect-secrets-hook which
exits non-zero when secrets are found. Run it before generating the
baseline so findings aren't silently allowed.

https://claude.ai/code/session_01PS6USVBi11LZAmfhotZGHU
@claude
Fix uvx commands to use --from detect-secrets
7ea841b 
detect-secrets-hook and detect-secrets scan are entry points from
the detect-secrets package, so uvx needs --from detect-secrets.

https://claude.ai/code/session_01PS6USVBi11LZAmfhotZGHU
@tsvikas tsvikas merged commit f266894 into main Apr 8, 2026
5 checks passed
@tsvikas tsvikas deleted the claude/add-detect-secrets-WCHjc branch April 8, 2026 15:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tsvikas @claude