Date: Wed, 5 Apr 2023 17:33:23 GMT From: Po-Chuan Hsieh <sunpoet@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 4bead352f49a - main - security/py-detect-secrets: Add py-detect-secrets 1.4.0 Message-ID: <202304051733.335HXNMJ083396@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by sunpoet: URL: https://cgit.FreeBSD.org/ports/commit/?id=4bead352f49aa8c05252244c2f4a3998b51bd256 commit 4bead352f49aa8c05252244c2f4a3998b51bd256 Author: Po-Chuan Hsieh <sunpoet@FreeBSD.org> AuthorDate: 2023-04-05 17:07:32 +0000 Commit: Po-Chuan Hsieh <sunpoet@FreeBSD.org> CommitDate: 2023-04-05 17:29:40 +0000 security/py-detect-secrets: Add py-detect-secrets 1.4.0 detect-secrets is an aptly named module for (surprise, surprise) detecting secrets within a code base. However, unlike other similar packages that solely focus on finding secrets, this package is designed with the enterprise client in mind: providing a backwards compatible, systematic means of: 1. Preventing new secrets from entering the code base, 2. Detecting if such preventions are explicitly bypassed, and 3. Providing a checklist of secrets to roll, and migrate off to a more secure storage. This way, you create a separation of concern: accepting that there may currently be secrets hiding in your large repository (this is what we refer to as a baseline), but preventing this issue from getting any larger, without dealing with the potentially gargantuan effort of moving existing secrets away. It does this by running periodic diff outputs against heuristically crafted regex statements, to identify whether any new secret has been committed. This way, it avoids the overhead of digging through all git history, as well as the need to scan the entire repository every time. --- security/Makefile | 1 + security/py-detect-secrets/Makefile | 23 +++++++++++++++++++++++ security/py-detect-secrets/distinfo | 3 +++ security/py-detect-secrets/pkg-descr | 20 ++++++++++++++++++++ 4 files changed, 47 insertions(+) diff --git a/security/Makefile b/security/Makefile index d277abd90f4d..a45a92d6d43a 100644 --- a/security/Makefile +++ b/security/Makefile @@ -883,6 +883,7 @@ SUBDIR += py-cryptography-vectors SUBDIR += py-ctypescrypto SUBDIR += py-cybox + SUBDIR += py-detect-secrets SUBDIR += py-dfdatetime SUBDIR += py-dfvfs SUBDIR += py-dfwinreg diff --git a/security/py-detect-secrets/Makefile b/security/py-detect-secrets/Makefile new file mode 100644 index 000000000000..73cc35efb8e3 --- /dev/null +++ b/security/py-detect-secrets/Makefile @@ -0,0 +1,23 @@ +PORTNAME= detect-secrets +PORTVERSION= 1.4.0 +CATEGORIES= security python +MASTER_SITES= PYPI +PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} +DISTNAME= detect_secrets-${PORTVERSION} + +MAINTAINER= sunpoet@FreeBSD.org +COMMENT= Tool for detecting secrets in the codebase +WWW= https://github.com/Yelp/detect-secrets + +LICENSE= APACHE20 +LICENSE_FILE= ${WRKSRC}/LICENSE + +RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}yaml>=0:devel/py-yaml@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}requests>=0:www/py-requests@${PY_FLAVOR} + +USES= python:3.7+ +USE_PYTHON= autoplist concurrent distutils + +NO_ARCH= yes + +.include <bsd.port.mk> diff --git a/security/py-detect-secrets/distinfo b/security/py-detect-secrets/distinfo new file mode 100644 index 000000000000..bb19926aafda --- /dev/null +++ b/security/py-detect-secrets/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1679498504 +SHA256 (detect_secrets-1.4.0.tar.gz) = d56787e339758cef48c9ccd6692f7a094b9963c979c9813580b0169e41132833 +SIZE (detect_secrets-1.4.0.tar.gz) = 94954 diff --git a/security/py-detect-secrets/pkg-descr b/security/py-detect-secrets/pkg-descr new file mode 100644 index 000000000000..4d4944d57bba --- /dev/null +++ b/security/py-detect-secrets/pkg-descr @@ -0,0 +1,20 @@ +detect-secrets is an aptly named module for (surprise, surprise) detecting +secrets within a code base. + +However, unlike other similar packages that solely focus on finding secrets, +this package is designed with the enterprise client in mind: providing a +backwards compatible, systematic means of: + 1. Preventing new secrets from entering the code base, + 2. Detecting if such preventions are explicitly bypassed, and + 3. Providing a checklist of secrets to roll, and migrate off to a more secure + storage. + +This way, you create a separation of concern: accepting that there may currently +be secrets hiding in your large repository (this is what we refer to as a +baseline), but preventing this issue from getting any larger, without dealing +with the potentially gargantuan effort of moving existing secrets away. + +It does this by running periodic diff outputs against heuristically crafted +regex statements, to identify whether any new secret has been committed. This +way, it avoids the overhead of digging through all git history, as well as the +need to scan the entire repository every time.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202304051733.335HXNMJ083396>