Thanks to all our contributors, users, and the many people that make detect-secrets
possible!
:heart:
If you love detect-secrets
, please star our project on GitHub to show your support! ⭐
- Fixes
SecretsCollection
subtraction method, to handle non-overlapping files. - Fixes installation for Windows environments (#412, thanks @pablosantiagolopez)
KeywordDetector
is no longer case-sensitive.
- Added a concept of "filters", to weed out false positives
- Introduce the concept of "transformers", to standardize file parsing across plugins
- Designed an upgrade system for easy migrations of older baseline versions
- Core engine redesigned to support module usage (rather than just interacting with it through the command line)
- Added a global
Settings
object for repeatable, serializable, configurations - Introduced dependency injection framework for easy-to-design filters.
Honestly, too many to list out. Check out the original pull request
(#355) for more details. It's safe to assume
that if you interacted with detect-secrets
as a module (rather than solely a pre-commit hook
or CLI tool), the APIs have changed (for the better).
However, with the new upgrade infrastructure in place, the baseline files will auto upgrade by themselves. Users that have used it solely as a pre-commit hook or CLI tool may need to consult the "User Facing Changes" for flag renaming.
- Added
NpmDetector
(#347, thanks @ninoseki) - Added
AzureStorageKeyDetector
(#359, thanks @DariuszPorowski) - Added
SquareOauthDetector
(#398, thanks @pablosantiagolopez) - Added
--only-allowlisted
flag to scan for inline ignores - Added
--list-all-plugins
to show a list of all plugins available to the engine - Added
--exclude-secrets
flag to ignore secrets that match specific regexes (#391, thanks @pablosantiagolopez) - Added
--slim
flag to generate baselines that minimize git diffs - Added
--disable-filter
to disable specific filters - Added
--disable-plugin
to disable specific plugins - Added support for
# pragma: allowlist nextline secret
to ignore the following line (#367, thanks @nickiaconis)
- AWS Plugin now scans for secret tokens as well (#397, thanks @pablosantiagolopez)
- The README now includes examples of common usages, features, and an FAQ section for the common questions we often receive as Github issues.
- So much better technical documentation!
- Type support added
- Inline allowlisting is respected by regular scans, rather than only pre-commit hook
audit
functionality improved on Windows machines- git operations now handle file paths with spaces
- fix KeywordDetector hanging on very long lines (#373, thanks @gpflaum)
- Fix a
TypeError
exception in adhoc string scanning (#336)
- Fixed an
AttributeError
exception in the pre-commit hook, when on Windows (#321, thanks @JohnNeville)
- Add missing
tuple()
conversion that raised aTypeError
when usingscan --update
(#317, thanks @shaikmanu797)
- Remove support for Python 2 (#292, big thanks to [@KevinHock]!)
- Add support for custom plugins (#308, big thanks to [@KevinHock]!)
- Make IBM plugins less noisy (#289, thanks to [@killuazhu])
- Display helpful eror message when scanning a baseline from a newer
detect-secrets
version (#293, #269)
- Pin coverage version used in testing (#290)
- Adding plugin for IBM's Cloudant (#261, thanks [@killuazhu])
- Adding plugin for IBM Cloud Object Storage HMAC (#263, thanks [@killuazhu])
- Adding Twilio plugin (#267, thanks [@EdOverflow])
- Support for
DETECT_SECRETS_SECURITY_TEAM
environment variable to customize the pre-commit hook error message (#283, thanks [@0atman])
- Adhoc
HighEntropyString
scanning supports multiple words (#287)
- Rationale for the minor version bump:
- Some accuracy changes that might change baselines significantly
- @OiCMudkips' first release increases spookiness
- It being almost Halloweeen increases spookiness
- Added a Softlayer plugin (#254, thanks [@killuazhu] and [@justineyster])
- Support URL-safe base64 strings in the base64 plugin (#245)
- Make it easier to add new plugins to detect-secrets (#248)
- Exclude NOPASSWD from the keyword detector (#247, thanks [@security-architecture])
- Ignore lines with
id
in them in the high-entropy plugins (#245) - Ignore UUIDs detected by the base64 plugin (#245)
- Fix the signal metric in the audit results view (#251)
- Added a
JwtTokenDetector
plugin (#239, thanks [@gdemarcsek]) - Added verification for Mailchimp API keys
- Added verification for Stripe secret API keys
- Added a
--word-list
option for filtering secrets with words in them (#241, dopip install detect-secrets[word_list]
to use this feature)
- Fixed a bug where we were not skipping ignored file extensions
- Fixed a bug in the
audit
functionality where we crashed if the baseline had a Mailchimp secret in it
- Added a
MailchimpDetector
plugin (#217, thanks [@dgzlopes]) - Added verification for Slack webhooks (#233, thanks [@Patil2099])
- Added handling of binary secrets in YAML files (#223)
- Added various accuracy improvements to the
KeywordDetector
plugin (#229)
- Fixed a bug in the
audit
functionality where we crashed when the highlighter failed (#228) - Fixed a bug in the
audit
functionality where there was no (b)ack audit functionality when a secret was not found (#215, thanks [@dgzlopes]) - Fixed a bug where we were not excluding SVG files (#219)
- Added a unique exit code to identify baseline changes (#214, thanks [@lirantal])
- Updated and ran our pre-commit hooks (#221, thanks [@killuazhu])
- Added webhook detection to our
SlackDetector
plugin (#195, thanks [@adrianbn]) - Added support for scanning multiple files (#188, thanks [@dgzlopes])
- Added support for scanning multiple repositories (#193)
- Added verification for AWS access keys and Slack tokens (#194)
- Added an
audit --display-results
feature to aid plugin development (#205)
- Improved our Artifactory regex (#195, thanks [@adrianbn])
- Improved sequential string detection to catch the Base64 character set (#207)
- Moved our sequential string detection so it is used by all plugins (#196)
whitelist
/blacklist
have been replaced withallowlist
/denylist
(#178, thanks [@richo]). This includes using# pragma: allowlist secret
now for inline allowlisting.# pragma: whitelist secret
compatibility will be removed in a later major version bump.
- Added a
StripeDetector
plugin (#169, thanks [@dgzlopes]) - Improved handling of un-scannable files (#176, thanks [@dgzlopes])
- Improved documentation of regex based detector's in the README (#177, thanks [@dgzlopes])
- Added an
ArtifactoryDetector
plugin (#157 and #163, thanks [@justineyster]) - Added support for Golang string assignments in the
KeywordDetector
plugin (#162, thanks [@baboateng]) - Added support for XML inline whitelisting comments (#152, thanks [@killuazhu])
- Added support for text after inline whitelisting comments (#168, thanks [@dgzlopes])
- Fixed a bug where filetype detection failed due to an inconsistent
configparser
import (#155, thanks [@Namburgesas])
- Greatly improved the readability of regular expressions in the
KeywordDetector
plugin, and the maintainability of the corresponding test (#160 and #161, thanks [@baboateng]) - Added a contribution guide (#166, thanks [@zioalex])
- Documented all of our inline whitelisting directives (#165 and #172, thanks [@dgzlopes])
- Fixed a bug where the improved performance for high-entropy strings (#144) did not work on Python 2 (#147)
- Added a
--keyword-exclude
argument toscan
(#132, thanks [@hpandeycodeit])
- For the
KeywordDetector
plugin: made quotes required for secrets in.cls
and.java
files, and skipped{{secrets like this}}
in YAML files (#133/#145)
- Improved performance when scanning for high-entropy strings (#144, thanks [@killuazhu])
- Fixed an uncaught
UnicodeEncodeError
exception in ourini
file parser, when using Python 2 (#143)
- Fixed the example pre-commit configuration in the README (#135, thanks [@nymous]) (#138, thanks [@neunkasulle])
- Refactored some
audit
code intoCodeSnippet
andCodeSnippetHighlighter
classes (#137)
- Added a
SlackDetector
plugin (#122, thanks [@killuazhu]) - Added a
--use-all-plugins
argument to--update
that adds all plugins to the baseline (#124, thanks [@killuazhu]) - Added
--exclude-files
and--exclude-lines
arguments toscan
(#127)
- Removed the
--exclude
CLI scan argument (#127)
- Reduced false-positives by excluding more characters (
!$&\';
) in theBasicAuthDetector
regex (#126, #123, thanks [@killuazhu]) - Added more to the
FALSE_POSITIVES
dict for theKeywordDetector
plugin, includingpassword
(#118)
- Fixed a bug where
--update
was adding all plugins to the baseline, instead of respecting the plugins used in the baseline (#124, thanks [@killuazhu]) - Fixed an uncaught
UnicodeEncodeError
exception when scanning non-ini files (e.g. markdown) containing unicode, when using Python 2 (#128, thanks [@killuazhu]) - Fixed a bug where non-ini files (e.g. markdown) containing unicode caused a
UnicodeEncodeError
exception in theaudit
functionality, when using Python 2 (#129, thanks [@killuazhu]) - Fixed a bug where non-posix end of line characters caused a "Secret not found on line...." error in the
audit
functionality (#120, thanks [@killuazhu]) - Fixed a bug where
scan_diff
, called bydetect-secrets-server
, was ignoring inlinepragma: whitelist secret
comments (#127)
- Relaxed the number of spaces before inline
pragma: whitelist secret
comment (#125, thanks [@killuazhu]] - Added Python 3.7 to Travis CI and
tox.ini
testing (#114, thanks [@cclauss]) - Increased minimum test coverage from 97% to 98%
- Fixed a bug where we were adding an extra-newline in
detect-secrets scan
output (#111)
- Reorganized the code, mainly creating a
common/
directory (#113)
- Turned the
KeywordDetector
plugin back on, with new regexes and accuracy improvements (#86) - Added an
AWSAccessKeyDetector
plugin (#100) - Added the ability to scan
.ini
types files that don't have a header (#106)
- Add blacklisting of PGP private key headers in
PrivateKeyDetector
plugin (#104) - Reduced false-positives by improving
BasicAuthDetector
plugin regex (#98)
- Fixed a bug where we were not showing removed lines in the
audit
functionality (#98)
- Added whitelist directive regexes to match against inline comment syntaxes in more languages (#105)
- Refactored various detectors to use
RegexBasedDetector
(#103) - Refactored the
BashColor
singleton into thecolorize
function (#109) - Small improvements to existing file parsers (#107)
- Refactored the
BasePlugin
to use theWHITELIST_REGEX
(#99) - Removed
unidiff
from standard dependencies (#101)
- Made the pre-commit hook automatically update the baseline (#96)
- Added the
audit --diff
functionality (#95)
- Added display of secret type in audit functionality (#94)
- Added a "Please git add the baseline" message (#89)
- Improved the "Unable to open baseline file" message (#91)
- Update
scan --update
results to only propagateis_secret
of new secrets (#90)
- Disabled
KeywordDetector
plugin temporarily (#89)
- Ordered baseline hashes, for better diffs (#84)
- Added a "Please git add the baseline" message (#89)
- Improved error messages for pre-commit hook (#85)
- Fixed a couple bugs in the
audit
functionality, one for small files and the other case-sensitivity in theKeywordDetector
plugin (#83, thanks [@jkozera])
- Added a
KeywordDetector
plugin, that was horrible and regretful (#76)
- Fixed a bug in
scan --update
where we would append the baseline exclude regex to itself (#78) - Fixed the regular expression in the
BasicAuthDetector
plugin so that it didn't run forever (#80) - Removed trailing whitespace from
scan
output (#78)
- Added command line hints and baseline clarification in the README (#81, thanks [@JoshuaRLi])
- Added a (b)ack option to 'Is this a valid secret?' (#72, thanks [@cleborys])
- Added a
BasicAuthDetector
plugin (#74) - Added CLI functionality to check strings in an adhoc manner (#73)
- Added a check to only load json from stdin if it exists (#69, thanks [@guykisel])
- Fixed a typo in the README (#68, thanks [@whathejoe])
- Fixed a bug where we didn't skip sequential strings when we should have (#67)
- Changed
--audit
and--scan
toaudit
andscan
(#51) - Changed
scan --import <baseline>
toscan --update <baseline>
(#58)
- Reduced false-positives caused by sequential strings, e.g.
ABCDEF
(#64)
- Fixed a bug where the pre-commit code would remove the
is_secret
attribute from audited baselines (#65) - Fixed an
audit
bug where we would crash if a file in the baseline did not exist (#56) - Improved the
audit
functionality to handle short files better (#48)
- Fixed numbering system with interactive audit
- Fixed "leapfrog" edge case for audit functionality (#47)
- Added ability to migrate baselines from an older version to a newer version
- Added functionality to audit baseline, to distinguish difference between false and true positives in the baseline file (#44)
- Upgraded
PrivateKeyPlugin
: more search parameters, more lines searched, and secret hash created using payload (rather than the entire line content)
- Differentiate between
Base64HighEntropyStrings
andHexHighEntropyStrings
throughsecret_type
(#26) - Got rid of
SensitivityValues
as a means to store plugin configs
- Improved the heuristic for
HexHighEntropyStrings
, reducing the false positive rates for large numbers identified in code
- Baseline always outputs in sorted order now, to prevent unnecessary diffs (#25)
- Escape exclude regex statements before compilation (#39)
- Fixed case where details of plugins used were not included in the baseline, when the pre-commit hook updated it (#40)
- Simplified logging by removing
CustomLog
(#46)
- Allow scanning of non-git files (#18)
- Improved scanning of INI config files with
HighEntropyString
(#13 and #17) - Improved scanning of YAML files with
HighEntropyString
(#16)
- Fixed
PrivateKeyDetector
plugin analyze results' representation (#15)