From 1be42af0bba6c078b80fb80e8ef155a926db7f91 Mon Sep 17 00:00:00 2001 From: Will Langdale Date: Tue, 3 Dec 2024 11:01:54 +0000 Subject: [PATCH 1/5] Added trufflehog to precommit hooks and justfile --- .pre-commit-config.yaml | 27 ++++++++++++++------------- README.md | 2 ++ justfile | 4 ++++ uv.lock | 2 +- 4 files changed, 21 insertions(+), 14 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f858145a..80769212 100755 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,18 +1,19 @@ repos: - repo: local hooks: - # Run the formatter. - - id: ruff-format - name: ruff-format - description: "Run 'ruff format' for extremely fast Python formatting" - entry: ruff format - language: python - types_or: [python, pyi] - # Run the linter. + # Run the ruff linter and formatter using just command - id: ruff name: ruff - description: "Run 'ruff' for extremely fast Python linting" - entry: ruff check - args: [ --fix ] # Enable lint fixes. - language: python - types_or: [python, pyi] \ No newline at end of file + description: "Format Python code using ruff format via just command" + entry: just format + language: system + types_or: [python, pyi] + pass_filenames: false + + # Check for secrets + - id: trufflehog + name: TruffleHog + description: Detect secrets in your data. + entry: bash -c 'trufflehog git file://. --since-commit HEAD --only-verified --fail' + language: system + stages: ["commit", "push"] \ No newline at end of file diff --git a/README.md b/README.md index 656091bd..c779da76 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,8 @@ With the truth threshold set to `1.0` by default, deterministic methodologies ar This project is managed by [uv](https://docs.astral.sh/uv/), linted and formated with [ruff](https://docs.astral.sh/ruff/), and tested with [pytest](https://docs.pytest.org/en/stable/). +Secret scanning is done with [trufflehog](https://github.com/trufflesecurity/trufflehog). + Task running is done with [just](https://just.systems/man/en/). To see all available commands: ```console diff --git a/justfile b/justfile index eb86e9cc..e9b74b15 100644 --- a/justfile +++ b/justfile @@ -12,6 +12,10 @@ format: uv run ruff format . uv run ruff check . --fix +# Scan for secrets +scan: + trufflehog git file://. --only-verified + # Run Python tests test: docker compose up -d --wait diff --git a/uv.lock b/uv.lock index c0881396..1ac2ac5d 100644 --- a/uv.lock +++ b/uv.lock @@ -909,7 +909,7 @@ wheels = [ [[package]] name = "matchbox" -version = "0.1.0" +version = "0.2.0" source = { editable = "." } dependencies = [ { name = "altair" }, From e547d30a8d14a08804c5eb489b7666fa01f80342 Mon Sep 17 00:00:00 2001 From: Will Langdale Date: Tue, 3 Dec 2024 11:04:58 +0000 Subject: [PATCH 2/5] Added pre-commit to development --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index c779da76..e1471827 100644 --- a/README.md +++ b/README.md @@ -65,6 +65,8 @@ This project is managed by [uv](https://docs.astral.sh/uv/), linted and formated Secret scanning is done with [trufflehog](https://github.com/trufflesecurity/trufflehog). +For security, use of [pre-commit](https://pre-commit.com) is expected. Ensure your hooks are installed with `pre-commit install`. + Task running is done with [just](https://just.systems/man/en/). To see all available commands: ```console From 32fa701a637a7a4fd6420a00601420e81f08000d Mon Sep 17 00:00:00 2001 From: Will Langdale Date: Tue, 3 Dec 2024 11:34:33 +0000 Subject: [PATCH 3/5] Some fine tuning of commands based on guidance --- .pre-commit-config.yaml | 2 +- justfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 80769212..f1263a79 100755 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -14,6 +14,6 @@ repos: - id: trufflehog name: TruffleHog description: Detect secrets in your data. - entry: bash -c 'trufflehog git file://. --since-commit HEAD --only-verified --fail' + entry: bash -c 'trufflehog git file://matchbox/ --since-commit HEAD --fail' language: system stages: ["commit", "push"] \ No newline at end of file diff --git a/justfile b/justfile index e9b74b15..9444d694 100644 --- a/justfile +++ b/justfile @@ -14,7 +14,7 @@ format: # Scan for secrets scan: - trufflehog git file://. --only-verified + trufflehog git file://matchbox/ # Run Python tests test: From 8fe0541a2df7cf301a53e556bf6ab6cf497c03cc Mon Sep 17 00:00:00 2001 From: Will Langdale Date: Tue, 3 Dec 2024 11:40:04 +0000 Subject: [PATCH 4/5] Changed hook to match TruffleHog documentation exactly --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f1263a79..0523995a 100755 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -14,6 +14,6 @@ repos: - id: trufflehog name: TruffleHog description: Detect secrets in your data. - entry: bash -c 'trufflehog git file://matchbox/ --since-commit HEAD --fail' + entry: bash -c "trufflehog git file://matchbox --since-commit HEAD --only-verified --fail" language: system stages: ["commit", "push"] \ No newline at end of file From 04bb40cbbd5beaa78b07c947d7541bd4dba99f5a Mon Sep 17 00:00:00 2001 From: Will Langdale Date: Tue, 3 Dec 2024 13:33:32 +0000 Subject: [PATCH 5/5] Changing TruffleHog to better reflect docs --- .pre-commit-config.yaml | 2 +- justfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0523995a..70f2a09c 100755 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -14,6 +14,6 @@ repos: - id: trufflehog name: TruffleHog description: Detect secrets in your data. - entry: bash -c "trufflehog git file://matchbox --since-commit HEAD --only-verified --fail" + entry: bash -c "trufflehog git file://. --since-commit HEAD --only-verified --fail" language: system stages: ["commit", "push"] \ No newline at end of file diff --git a/justfile b/justfile index 9444d694..e9b74b15 100644 --- a/justfile +++ b/justfile @@ -14,7 +14,7 @@ format: # Scan for secrets scan: - trufflehog git file://matchbox/ + trufflehog git file://. --only-verified # Run Python tests test: