From 6860318d1515293a495c95ca7e7d0ab5d7a959a0 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 8 Apr 2026 14:43:33 +0000 Subject: [PATCH 1/8] Add detect-secrets pre-commit hook with baseline Add Yelp/detect-secrets v1.5.0 to the pre-commit config to prevent new secrets from being committed. Includes a clean baseline file generated with `detect-secrets scan`. https://claude.ai/code/session_01PS6USVBi11LZAmfhotZGHU --- .pre-commit-config.yaml | 5 ++ .secrets.baseline | 127 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 132 insertions(+) create mode 100644 .secrets.baseline diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 07a2a63..84bdb4a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -39,6 +39,11 @@ repos: - id: check-yaml - id: pretty-format-json exclude_types: [jupyter] + - repo: https://github.com/Yelp/detect-secrets + rev: v1.5.0 + hooks: + - id: detect-secrets + args: ['--baseline', '.secrets.baseline'] - repo: https://github.com/pre-commit/pygrep-hooks rev: v1.10.0 hooks: diff --git a/.secrets.baseline b/.secrets.baseline new file mode 100644 index 0000000..7e09f97 --- /dev/null +++ b/.secrets.baseline @@ -0,0 +1,127 @@ +{ + "version": "1.5.0", + "plugins_used": [ + { + "name": "ArtifactoryDetector" + }, + { + "name": "AWSKeyDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "name": "Base64HighEntropyString", + "limit": 4.5 + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "CloudantDetector" + }, + { + "name": "DiscordBotTokenDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "name": "GitLabTokenDetector" + }, + { + "name": "HexHighEntropyString", + "limit": 3.0 + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "IPPublicDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "name": "KeywordDetector", + "keyword_exclude": "" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "OpenAIDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "PypiTokenDetector" + }, + { + "name": "SendGridDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TelegramBotTokenDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "filters_used": [ + { + "path": "detect_secrets.filters.allowlist.is_line_allowlisted" + }, + { + "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", + "min_level": 2 + }, + { + "path": "detect_secrets.filters.heuristic.is_indirect_reference" + }, + { + "path": "detect_secrets.filters.heuristic.is_likely_id_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_lock_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_potential_uuid" + }, + { + "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" + }, + { + "path": "detect_secrets.filters.heuristic.is_sequential_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_swagger_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_templated_secret" + } + ], + "results": {}, + "generated_at": "2026-04-08T14:42:31Z" +} From 43c33463f8ccfbbaf39dfdd401436e6ce2ed5233 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 8 Apr 2026 14:45:35 +0000 Subject: [PATCH 2/8] Revert "Add detect-secrets pre-commit hook with baseline" This reverts commit 6860318d1515293a495c95ca7e7d0ab5d7a959a0. --- .pre-commit-config.yaml | 5 -- .secrets.baseline | 127 ---------------------------------------- 2 files changed, 132 deletions(-) delete mode 100644 .secrets.baseline diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 84bdb4a..07a2a63 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -39,11 +39,6 @@ repos: - id: check-yaml - id: pretty-format-json exclude_types: [jupyter] - - repo: https://github.com/Yelp/detect-secrets - rev: v1.5.0 - hooks: - - id: detect-secrets - args: ['--baseline', '.secrets.baseline'] - repo: https://github.com/pre-commit/pygrep-hooks rev: v1.10.0 hooks: diff --git a/.secrets.baseline b/.secrets.baseline deleted file mode 100644 index 7e09f97..0000000 --- a/.secrets.baseline +++ /dev/null @@ -1,127 +0,0 @@ -{ - "version": "1.5.0", - "plugins_used": [ - { - "name": "ArtifactoryDetector" - }, - { - "name": "AWSKeyDetector" - }, - { - "name": "AzureStorageKeyDetector" - }, - { - "name": "Base64HighEntropyString", - "limit": 4.5 - }, - { - "name": "BasicAuthDetector" - }, - { - "name": "CloudantDetector" - }, - { - "name": "DiscordBotTokenDetector" - }, - { - "name": "GitHubTokenDetector" - }, - { - "name": "GitLabTokenDetector" - }, - { - "name": "HexHighEntropyString", - "limit": 3.0 - }, - { - "name": "IbmCloudIamDetector" - }, - { - "name": "IbmCosHmacDetector" - }, - { - "name": "IPPublicDetector" - }, - { - "name": "JwtTokenDetector" - }, - { - "name": "KeywordDetector", - "keyword_exclude": "" - }, - { - "name": "MailchimpDetector" - }, - { - "name": "NpmDetector" - }, - { - "name": "OpenAIDetector" - }, - { - "name": "PrivateKeyDetector" - }, - { - "name": "PypiTokenDetector" - }, - { - "name": "SendGridDetector" - }, - { - "name": "SlackDetector" - }, - { - "name": "SoftlayerDetector" - }, - { - "name": "SquareOAuthDetector" - }, - { - "name": "StripeDetector" - }, - { - "name": "TelegramBotTokenDetector" - }, - { - "name": "TwilioKeyDetector" - } - ], - "filters_used": [ - { - "path": "detect_secrets.filters.allowlist.is_line_allowlisted" - }, - { - "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", - "min_level": 2 - }, - { - "path": "detect_secrets.filters.heuristic.is_indirect_reference" - }, - { - "path": "detect_secrets.filters.heuristic.is_likely_id_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_lock_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_potential_uuid" - }, - { - "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" - }, - { - "path": "detect_secrets.filters.heuristic.is_sequential_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_swagger_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_templated_secret" - } - ], - "results": {}, - "generated_at": "2026-04-08T14:42:31Z" -} From 6e670a6f2ba5ce5b6a57fbee2061fb24499ba17a Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 8 Apr 2026 14:48:58 +0000 Subject: [PATCH 3/8] Add detect-secrets pre-commit hook to project template Add Yelp/detect-secrets to the generated project's pre-commit config with baseline support. The `just init` task now generates `.secrets.baseline` via `uvx detect-secrets scan` so the hook works out of the box. https://claude.ai/code/session_01PS6USVBi11LZAmfhotZGHU --- project_name/.pre-commit-config.yaml.jinja | 7 +++++++ project_name/justfile.jinja | 1 + 2 files changed, 8 insertions(+) diff --git a/project_name/.pre-commit-config.yaml.jinja b/project_name/.pre-commit-config.yaml.jinja index 14d5c5c..6704ac6 100644 --- a/project_name/.pre-commit-config.yaml.jinja +++ b/project_name/.pre-commit-config.yaml.jinja @@ -87,6 +87,13 @@ repos: # UTF-8 encoding - id: text-unicode-replacement-char + # Security + - repo: https://github.com/Yelp/detect-secrets + rev: + hooks: + - id: detect-secrets + args: ['--baseline', '.secrets.baseline'] + # All files - repo: https://github.com/editorconfig-checker/editorconfig-checker.python rev: diff --git a/project_name/justfile.jinja b/project_name/justfile.jinja index 7710a02..bb2b8a1 100644 --- a/project_name/justfile.jinja +++ b/project_name/justfile.jinja @@ -16,6 +16,7 @@ init: && prepare git add --all git commit -m "🚀 Initialized project using https://github.com/tsvikas/python-template" just deps-update + uvx detect-secrets scan > .secrets.baseline git add --all [ -z "$(git status --porcelain)" ] || git commit -m "⬆️ Updated project dependencies" From 4f2fa07d16000efb10f0347e9de99debff19cf15 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 8 Apr 2026 14:54:06 +0000 Subject: [PATCH 4/8] Separate detect-secrets baseline into its own init commit https://claude.ai/code/session_01PS6USVBi11LZAmfhotZGHU --- project_name/justfile.jinja | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/project_name/justfile.jinja b/project_name/justfile.jinja index bb2b8a1..f4b0780 100644 --- a/project_name/justfile.jinja +++ b/project_name/justfile.jinja @@ -16,9 +16,11 @@ init: && prepare git add --all git commit -m "🚀 Initialized project using https://github.com/tsvikas/python-template" just deps-update - uvx detect-secrets scan > .secrets.baseline git add --all [ -z "$(git status --porcelain)" ] || git commit -m "⬆️ Updated project dependencies" + uvx detect-secrets scan > .secrets.baseline + git add --all + [ -z "$(git status --porcelain)" ] || git commit -m "🔒 Add detect-secrets baseline" # Setup the project after cloning prepare: From 0fced225d8689f5858aca35fd8297fd6847426f4 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 8 Apr 2026 14:55:23 +0000 Subject: [PATCH 5/8] Only stage .secrets.baseline in init commit https://claude.ai/code/session_01PS6USVBi11LZAmfhotZGHU --- project_name/justfile.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/project_name/justfile.jinja b/project_name/justfile.jinja index f4b0780..deed16c 100644 --- a/project_name/justfile.jinja +++ b/project_name/justfile.jinja @@ -19,8 +19,8 @@ init: && prepare git add --all [ -z "$(git status --porcelain)" ] || git commit -m "⬆️ Updated project dependencies" uvx detect-secrets scan > .secrets.baseline - git add --all - [ -z "$(git status --porcelain)" ] || git commit -m "🔒 Add detect-secrets baseline" + git add .secrets.baseline + git commit -m "🔒 Add detect-secrets baseline" # Setup the project after cloning prepare: From 65656f2b165c0c62f1f062dccf7f26c50393b314 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 8 Apr 2026 14:58:48 +0000 Subject: [PATCH 6/8] Fail init if detect-secrets finds secrets in initial scan Prevents silently baselining real secrets during project init. https://claude.ai/code/session_01PS6USVBi11LZAmfhotZGHU --- project_name/justfile.jinja | 1 + 1 file changed, 1 insertion(+) diff --git a/project_name/justfile.jinja b/project_name/justfile.jinja index deed16c..3190418 100644 --- a/project_name/justfile.jinja +++ b/project_name/justfile.jinja @@ -19,6 +19,7 @@ init: && prepare git add --all [ -z "$(git status --porcelain)" ] || git commit -m "⬆️ Updated project dependencies" uvx detect-secrets scan > .secrets.baseline + python3 -c "import json,sys; r=json.load(open('.secrets.baseline'))['results']; sys.exit('ERROR: detect-secrets found secrets in the initial scan:\n' + json.dumps(r, indent=2)) if r else None" git add .secrets.baseline git commit -m "🔒 Add detect-secrets baseline" From 2b7b7bfe2a999a558d2657545314d6e1a5cad8a0 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 8 Apr 2026 15:06:14 +0000 Subject: [PATCH 7/8] Use detect-secrets-hook to verify no secrets before generating baseline Replace Python one-liner with the built-in detect-secrets-hook which exits non-zero when secrets are found. Run it before generating the baseline so findings aren't silently allowed. https://claude.ai/code/session_01PS6USVBi11LZAmfhotZGHU --- project_name/justfile.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project_name/justfile.jinja b/project_name/justfile.jinja index 3190418..e35f1c2 100644 --- a/project_name/justfile.jinja +++ b/project_name/justfile.jinja @@ -18,8 +18,8 @@ init: && prepare just deps-update git add --all [ -z "$(git status --porcelain)" ] || git commit -m "⬆️ Updated project dependencies" + uvx detect-secrets-hook $(git ls-files) uvx detect-secrets scan > .secrets.baseline - python3 -c "import json,sys; r=json.load(open('.secrets.baseline'))['results']; sys.exit('ERROR: detect-secrets found secrets in the initial scan:\n' + json.dumps(r, indent=2)) if r else None" git add .secrets.baseline git commit -m "🔒 Add detect-secrets baseline" From 7ea841b84682760fcec33acc5f18d5e4b70eb121 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 8 Apr 2026 15:11:48 +0000 Subject: [PATCH 8/8] Fix uvx commands to use --from detect-secrets detect-secrets-hook and detect-secrets scan are entry points from the detect-secrets package, so uvx needs --from detect-secrets. https://claude.ai/code/session_01PS6USVBi11LZAmfhotZGHU --- project_name/justfile.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/project_name/justfile.jinja b/project_name/justfile.jinja index e35f1c2..dca51bb 100644 --- a/project_name/justfile.jinja +++ b/project_name/justfile.jinja @@ -18,8 +18,8 @@ init: && prepare just deps-update git add --all [ -z "$(git status --porcelain)" ] || git commit -m "⬆️ Updated project dependencies" - uvx detect-secrets-hook $(git ls-files) - uvx detect-secrets scan > .secrets.baseline + uvx --from detect-secrets detect-secrets-hook $(git ls-files) + uvx --from detect-secrets detect-secrets scan > .secrets.baseline git add .secrets.baseline git commit -m "🔒 Add detect-secrets baseline"