diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml index 4ad037c..e5f974a 100644 --- a/.pre-commit-hooks.yaml +++ b/.pre-commit-hooks.yaml @@ -1,7 +1,7 @@ -- id: secrets - name: secrets +- id: ripsecrets + name: ripsecrets description: 'Prevent committing secret keys into your source code' - entry: secrets + entry: ripsecrets language: rust 'types': [text] args: [--strict-ignore] diff --git a/CHANGELOG.md b/CHANGELOG.md index 28639d8..93e223e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ ## 0.1.3 (Not yet released) +- Renamed from `secrets` to `ripsecrets` to avoid name collisions with other + projects. - Added a new --strict-ignore option for pre-commit usage. When a pre-commit is invoked it includes a list of filenames. By default secrets will search referenced files regardless of the contents of .gitignore or .secretsignore. diff --git a/Cargo.lock b/Cargo.lock index f8a4753..ef5867e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -372,6 +372,19 @@ dependencies = [ "winapi", ] +[[package]] +name = "ripsecrets" +version = "0.1.3" +dependencies = [ + "grep", + "ignore", + "memoize", + "num_cpus", + "regex", + "tempfile", + "termcolor", +] + [[package]] name = "ryu" version = "1.0.9" @@ -387,19 +400,6 @@ dependencies = [ "winapi-util", ] -[[package]] -name = "secrets" -version = "0.1.2" -dependencies = [ - "grep", - "ignore", - "memoize", - "num_cpus", - "regex", - "tempfile", - "termcolor", -] - [[package]] name = "serde" version = "1.0.132" diff --git a/Cargo.toml b/Cargo.toml index 7265b20..8844350 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] -name = "secrets" -version = "0.1.2" +name = "ripsecrets" +version = "0.1.3" edition = "2021" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html diff --git a/README.md b/README.md index 153cb0b..46ff46c 100644 --- a/README.md +++ b/README.md @@ -1,23 +1,23 @@ -# secrets +# ripsecrets -`secrets` is a command-line tool to prevent committing secret keys into your source code. `secrets` has a few features that distinguish it from other secret scanning tools: +`ripsecrets` is a command-line tool to prevent committing secret keys into your source code. `ripsecrets` has a few features that distinguish it from other secret scanning tools: 1. Focused on pre-commit. It's a lot cheaper to prevent secrets from getting committed in the first place than dealing with the consequences once a secret that has been committed to your repository has been detected. -2. Extremely fast. Using a secret scanner shouldn't slow down your development workflow, so `secrets` is 95 times faster or more than other tools. Learn more about how it's designed for performance [here](#performance). +2. Extremely fast. Using a secret scanner shouldn't slow down your development workflow, so `ripsecrets` is 95 times faster or more than other tools. Learn more about how it's designed for performance [here](#performance). -3. Always local operation. Many other secret scanners try to verify that the secrets are valid, which is practice means sending strings from your source code to 3rd party services automatically. There's a security versus convienience tradeoff in that decision, but `secrets` is designed to be the best "local only" tool and will never send data off of your computer. +3. Always local operation. Many other secret scanners try to verify that the secrets are valid, which is practice means sending strings from your source code to 3rd party services automatically. There's a security versus convienience tradeoff in that decision, but `ripsecrets` is designed to be the best "local only" tool and will never send data off of your computer. -4. Low rate of false positives. While local-only tools are always going to have more false positives than one that verifies secrets, `secrets` uses a probability theory based approach in order to more accurately detect keys than other tools. +4. Low rate of false positives. While local-only tools are always going to have more false positives than one that verifies secrets, `ripsecrets` uses a probability theory based approach in order to more accurately detect keys than other tools. -5. Single binary with no dependencies. Installing `secrets` is as easy as copying the binary into your `bin` directory. +5. Single binary with no dependencies. Installing `ripsecrets` is as easy as copying the binary into your `bin` directory. ## Usage -By default running `secrets` will recursively search source files in your current directory for secrets. +By default running `ripsecrets` will recursively search source files in your current directory for secrets. ``` -$ secrets +$ ripsecrets ``` For every secret it finds it will print out the file, line number, and the secret that was found. If it finds any secrets it will exit with a non-zero status code. @@ -25,19 +25,19 @@ For every secret it finds it will print out the file, line number, and the secre You can optionally pass a list of files and directories to search as arguments. ``` -$ secrets file1 file2 dir1 +$ ripsecrets file1 file2 dir1 ``` -This is most commonly used to search files that are about to be committed to source control for accidentically included secrets. You can install `secrets` as a pre-commit hook automatically in your current git repository using the following command: +This is most commonly used to search files that are about to be committed to source control for accidentically included secrets. You can install `ripsecrets` as a pre-commit hook automatically in your current git repository using the following command: ``` -$ secrets --install-pre-commit +$ ripsecrets --install-pre-commit ``` -If you would like to install `secrets` manually you can add the following command to yout `pre-commit` script: +If you would like to install `ripsecrets` manually you can add the following command to yout `pre-commit` script: ``` -$ secrets --strict-ignore `git diff --cached --name-only --diff-filter=ACM` +$ ripsecrets --strict-ignore `git diff --cached --name-only --diff-filter=ACM` ``` Passing `--strict-ignore` ensures that your `.secretsignore` file is respected when running secrets as a pre-commit. @@ -54,7 +54,7 @@ cargo install --git https://github.com/sirwart/secrets --branch main ### Using pre-commit -`secrets` can work as a plugin for [pre-commit](https://pre-commit.com/) with +`ripsecrets` can work as a plugin for [pre-commit](https://pre-commit.com/) with the following configuration. Note that this may require having Cargo and a Rust compiler already installed. @@ -63,16 +63,16 @@ information. ```yaml repos: -- repo: https://github.com/sirwart/secrets.git +- repo: https://github.com/sirwart/ripsecrets.git # Set your version, be sure to use the latest and update regularly or use 'main' rev: v0.1.3 hooks: - - id: secrets + - id: ripsecrets ``` ## Ignoring secrets -`secrets` will respect your .gitignore files by default, but there might still be files you want to exclude from being scanned for secrets. To do that you can create a .secretsignore file, which supports similar syntax to a .gitignore file for ignoring files. In addition to excluding files, it also supports a `[secrets]` section that allows ignoring individual secrets. +`ripsecrets` will respect your .gitignore files by default, but there might still be files you want to exclude from being scanned for secrets. To do that you can create a .secretsignore file, which supports similar syntax to a .gitignore file for ignoring files. In addition to excluding files, it also supports a `[secrets]` section that allows ignoring individual secrets. ``` test/* @@ -82,7 +82,7 @@ dummy pAznMW3DsrnVJ5TDWwBVCA ``` -In addition to the .secretsignore file, `secrets` is compatible with `detect-secrets` style allowlist comments on the same line as the detected secret: +In addition to the .secretsignore file, `ripsecrets` is compatible with `detect-secrets` style allowlist comments on the same line as the detected secret: ``` test_secret = "pAznMW3DsrnVJ5TDWwBVCA" # pragma: allowlist secret @@ -90,13 +90,13 @@ test_secret = "pAznMW3DsrnVJ5TDWwBVCA" # pragma: allowlist secret ## Performance -The slowest part of secret scanning is looking for potential secrets in a large number of files. To do this quickly `secrets` does a couple of things: +The slowest part of secret scanning is looking for potential secrets in a large number of files. To do this quickly `ripsecrets` does a couple of things: 1. All the secret patterns are compiled into a single regex, so each file only needs to be processed once. 2. This regex is fed to [ripgrep](https://github.com/BurntSushi/ripgrep), which is specially optimized to running a regex against a large number of files quickly. -Additionally `secrets` is written in Rust, which means there's no interpreter startup time. To compare real world performance, here's the runtime of a few different scanning tools to search for secrets in the [Sentry repo](https://github.com/getsentry/sentry) on an M1 air laptop: +Additionally `ripsecrets` is written in Rust, which means there's no interpreter startup time. To compare real world performance, here's the runtime of a few different scanning tools to search for secrets in the [Sentry repo](https://github.com/getsentry/sentry) on an M1 air laptop: | tool | avg. runtime | vs. baseline | | -------------- | ------------ | ------------ | @@ -108,7 +108,7 @@ Most of the time your pre-commit will be running on a small number of files, so ## Alternative tools -Even if `secrets` is not the right tool for you, if you're working on a service that deals with user data you should strongly consider using a secret scanner. Here are some alterative tools worth considering: +Even if `ripsecrets` is not the right tool for you, if you're working on a service that deals with user data you should strongly consider using a secret scanner. Here are some alterative tools worth considering: - [detect-secrets](https://github.com/Yelp/detect-secrets) - [trufflehog](https://github.com/trufflesecurity/trufflehog) diff --git a/flake.nix b/flake.nix index 78c8265..0bc1864 100644 --- a/flake.nix +++ b/flake.nix @@ -12,17 +12,17 @@ in rec { # `nix build` - packages.secrets = naersk-lib.buildPackage { - pname = "secrets"; + packages.ripsecrets = naersk-lib.buildPackage { + pname = "ripsecrets"; root = ./.; }; - defaultPackage = packages.secrets; + defaultPackage = packages.ripsecrets; # `nix run` - apps.secrets = flake-utils.lib.mkApp { - drv = packages.secrets; + apps.ripsecrets = flake-utils.lib.mkApp { + drv = packages.ripsecrets; }; - defaultApp = apps.secrets; + defaultApp = apps.ripsecrets; # `nix develop` devShell = pkgs.mkShell { diff --git a/src/main.rs b/src/main.rs index a1d0fdf..a4caa42 100644 --- a/src/main.rs +++ b/src/main.rs @@ -23,9 +23,9 @@ impl std::error::Error for UsageError {} impl fmt::Display for UsageError { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { match self { - UsageError::PreCommit => write!(f, "Usage: secrets --install-pre-commit"), - UsageError::Version => write!(f, "Usage: secrets --version"), - UsageError::Help => write!(f, "Usage: secrets --help"), + UsageError::PreCommit => write!(f, "Usage: ripsecrets --install-pre-commit"), + UsageError::Version => write!(f, "Usage: ripsecrets --version"), + UsageError::Help => write!(f, "Usage: ripsecrets --help"), } } } @@ -42,34 +42,34 @@ fn main_aux(args: &Vec) -> Result> { if args.len() > 2 { return Err(Box::new(UsageError::Version)); } - println!("secrets {}", env!("CARGO_PKG_VERSION")); + println!("ripsecrets {}", env!("CARGO_PKG_VERSION")); } else if args.len() > 1 && args[1] == "--help" { if args.len() > 2 { return Err(Box::new(UsageError::Help)); } - println!("secrets {} + println!("ripsecrets {} -secrets searches files and directories recursively for secret API keys. +ripsecrets searches files and directories recursively for secret API keys. It's primarily designed to be used as a pre-commit to prevent committing secrets into version control. USAGE: - secrets [--strict-ignore] [PATH ...] - secrets --install-pre-commit - secrets --help - secrets --version + ripsecrets [--strict-ignore] [PATH ...] + ripsecrets --install-pre-commit + ripsecrets --help + ripsecrets --version OPTIONS: --install-pre-commit - Installs secrets as part of your git pre-commit hook, creating one if - one doesn't already exist. + Installs ripsecrets as part of your git pre-commit hook, creating one + if one doesn't already exist. --strict-ignore If you pass a path as an argument that's ignored by .secretsignore it will be scanned by default. --strict-ignore will override this behavior and not search the paths passed as arguments that are excluded - by the .secretsignore file. This is useful when invoking secrets as a - pre-commit.", env!("CARGO_PKG_VERSION")) + by the .secretsignore file. This is useful when invoking ripsecrets as + a pre-commit.", env!("CARGO_PKG_VERSION")) } else { let mut strict_ignore = false; let mut paths = Vec::new(); diff --git a/src/pre_commit.rs b/src/pre_commit.rs index 2437ecf..c8ef3ef 100644 --- a/src/pre_commit.rs +++ b/src/pre_commit.rs @@ -25,7 +25,7 @@ impl fmt::Display for PreCommitError { } } -const PRE_COMMIT: &[u8] = b"secrets --strict-ignore `git diff --cached --name-only --diff-filter=ACM`\n"; +const PRE_COMMIT: &[u8] = b"ripsecrets --strict-ignore `git diff --cached --name-only --diff-filter=ACM`\n"; pub fn install_pre_commit(repo_root: &Path) -> Result<(), Box> { let git_root = Path::new(repo_root).join(".git"); @@ -37,7 +37,7 @@ pub fn install_pre_commit(repo_root: &Path) -> Result<(), Box> { let pre_commit_dir = git_root.join("pre-commit.d"); if pre_commit_dir.exists() { - let pre_commit_dir_fname = pre_commit_dir.join("secrets"); + let pre_commit_dir_fname = pre_commit_dir.join("ripsecrets"); if pre_commit_dir_fname.exists() { return Err(Box::new(PreCommitError::HookAlreadyInstalled)); }