diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml index 1b5810d..6f9c2b7 100644 --- a/.pre-commit-hooks.yaml +++ b/.pre-commit-hooks.yaml @@ -216,4 +216,3 @@ description: can take in a custom regex file to scan for custom secrets. entry: detect-secrets langauge: python - diff --git a/pre_commit_hooks/detect_secrets.py b/pre_commit_hooks/detect_secrets.py index 72a478a..7a0f537 100644 --- a/pre_commit_hooks/detect_secrets.py +++ b/pre_commit_hooks/detect_secrets.py @@ -13,41 +13,40 @@ from pathlib import Path DEFAULT_PATTERNS: dict[str, str] = { # GitLab - "gitlab_pat": r"glpat-[0-9A-Za-z_-]{20,}", - "gitlab_runner_token": r"glrt-[0-9A-Za-z_-]{20,}", + 'gitlab_pat': r'glpat-[0-9A-Za-z_-]{20,}', + 'gitlab_runner_token': r'glrt-[0-9A-Za-z_-]{20,}', # GitHub - "github_pat": r"ghp_[0-9A-Za-z]{36}", - "github_fine_grained_pat": r"github_pat_[0-9A-Za-z_]{82}", + 'github_pat': r'ghp_[0-9A-Za-z]{36}', + 'github_fine_grained_pat': r'github_pat_[0-9A-Za-z_]{82}', # AWS - "aws_access_key": r"AKIA[0-9A-Z]{16}", - "aws_secret_key": r"(?i)aws(.{0,20})?(secret|access)[-_ ]?key(.{0,20})?['\"][0-9a-zA-Z/+]{40}['\"]", + 'aws_access_key': r'AKIA[0-9A-Z]{16}', + 'aws_secret_key': r"(?i)aws(.{0,20})?(secret|access)[-_ ]?key(.{0,20})?['\"][0-9a-zA-Z/+]{40}['\"]", # Generic - "generic_secret": r"(?i)(password|passwd|pwd|secret|token|api[_-]?key)\s*=\s*['\"].+['\"]", + 'generic_secret': r"(?i)(password|passwd|pwd|secret|token|api[_-]?key)\s*=\s*['\"].+['\"]", } - def load_custom_patterns(path: Path) -> dict[str, str]: patterns: dict[str, str] = {} for i, line in enumerate(path.read_text().splitlines(), start=1): line = line.strip() - if not line or line.startswith("#"): + if not line or line.startswith('#'): continue patterns[f"custom_rule_{i}"] = line return patterns def is_binary(data: bytes) -> bool: - return b"\x00" in data + return b'\x00' in data def git_tracked_files() -> list[Path]: """Return all git-tracked files in the repo.""" result = subprocess.run( - ["git", "ls-files"], + ['git', 'ls-files'], stdout=subprocess.PIPE, stderr=subprocess.DEVNULL, text=True, @@ -57,16 +56,16 @@ def git_tracked_files() -> list[Path]: def main(argv: Sequence[str] | None = None) -> int: - parser = argparse.ArgumentParser(description="Detect exposed secrets in repository") + parser = argparse.ArgumentParser(description='Detect exposed secrets in repository') parser.add_argument( - "--rules", + '--rules', type=Path, - help="File containing custom regex rules (one per line)", + help='File containing custom regex rules (one per line)', ) parser.add_argument( - "filenames", - nargs="*", - help="Files to scan (if empty, scans entire repo)", + 'filenames', + nargs='*', + help='Files to scan (if empty, scans entire repo)', ) args = parser.parse_args(argv) @@ -104,14 +103,14 @@ def main(argv: Sequence[str] | None = None) -> int: if is_binary(data): continue - text = data.decode(errors="ignore") + text = data.decode(errors='ignore') for rule, regex in compiled.items(): if regex.search(text): findings.append((path, rule)) if findings: - print("Potential secrets detected:") + print('Potential secrets detected:') for path, rule in findings: print(f" - {path} (matched: {rule})") return 1 @@ -119,5 +118,5 @@ def main(argv: Sequence[str] | None = None) -> int: return 0 -if __name__ == "__main__": +if __name__ == '__main__': raise SystemExit(main())