What does HackerNews think of detect-secrets?
An enterprise friendly way of detecting and preventing secrets in code.
Would something like https://github.com/Yelp/detect-secrets be interesting to include? Either as a filtering step to weed out false positives or to find even more secrets (i.e. that aren't near "password" or "secret")
It was a huge pain, it picked up nothing but false positives.
After a few months we decided that our pre-existing practices: have secrets passed to the app in environment variables which are set during deployment, and use fake secrets for test and dev, solved the problem in a much less painful way.
Is it so hard to keep real secrets separate from the source code?
The right answer here (as stated in sibling comments) is to install a mechanism into the build. A push that accidentally commits credentials should break the build. How it goes about doing that is up to you, but the specific way I've done that in the past is a git hook [1] specifically the pre-commit hook. It looks like there's a reasonably well-updated package by Yelp to help do this kind of thing [2].
[1] https://git-scm.com/book/en/v2/Customizing-Git-Git-Hooks [2] https://github.com/Yelp/detect-secrets
I add this hook which checks for passwords, high-entropy strings, etc. and has tools for managing false positives: https://github.com/Yelp/detect-secrets