From nobody Wed Apr 5 17:33:23 2023 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PsBYc16vhz43nsj; Wed, 5 Apr 2023 17:33:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PsBYc0CvFz47g8; Wed, 5 Apr 2023 17:33:24 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1680716004; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8GbOuhYiBSVQlg3PXXp0sCx2OczWFtZU47+8bg0/qkE=; b=ALZOG+gheLy+POXrBog1A25Ab2MKlctd3ocf2c2+0rx3i7bkEKcf2bQB8EULCX7MLo7oSs nbQKapp8N8ntIww6qKC3JVJ1r9aWEXMH6xovhnxeFPyLkKLwkhV22TQ2F1fqefLTNrzMeh o7xjEf2189SlWHyZtOJSII2ngTwPCsAGrjgezDXmkeF0bPNc7BSrjD0B05g5pJEK5Npymz h2LHgVRyq6mJNYjztOUjEyj1fGXcP7RCbzWlQ8trv+kugDOx+Iu4pGThxXyqLu0DF9jT0s lTgIx9p7rH+bEqFH7exF6N5xeOqIfo+9Vb3pq4O0PbwBStfUB9PF033TZ+h/jg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1680716004; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8GbOuhYiBSVQlg3PXXp0sCx2OczWFtZU47+8bg0/qkE=; b=TEmQhszsjCQLIHkDNoFHtgyyXyPQuTihhko+ti9129RWAYHBS4PX7bxHLO+DYJEJE3BllJ xYqA3CQpELh1DLxiEI+FXG2psMkuYPAEZXlj0FSFVMRAAp4cpi2q1i3WSqbTxv9rL5OoBp I5EG+Pm83yYCDU3mzY6kLOD1x0ByIBy0qboKkgbShSlucp/AVj5XbN87GpKZes3IswNSxS fgcBTYAcpqvPeU71cxpFoCIhkbHwjh+ku4XV9D9soFLB+hzvTNFPVTq89+KAWUg6JIo4FG 8gQ36Op30Ys7T8DZbmV+6a28xqH1v1QqjyUS1/sIF8yp0ZSZSvs+avnDWICB2g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1680716004; a=rsa-sha256; cv=none; b=WhCLghPyWPxh/h2YhOaNkar0BVei4Yy8NEEooOuGcl8vhepmiXOXPf9QlBxUinHNVA8Mvw +XsBeNRSNIOMoiCClOJV+BMh1IDOB9ctO653ECKk9ZAKLIRxN3aZCzixsaPdFFWtC8Ubgc GE0V2W95eVTzLlT2Azsg5koX/R9ObNiRrZtApu0C8l9qbmT7p+dSR+TAS5qxaM0YjrNpiM 7hxxb7dZABJ3ae17fpPm5mMdK5D81DyvMgzUqwHXSaTFbjNIt/cG6F5fjwphs7vjnzpNPT ZOcgrw1yBUKJpeUBsNAdMlSCTMpKZCu0hnnTBTMD8hbLemEsE93bHyrg2Ubreg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PsBYb6PYqzX5R; Wed, 5 Apr 2023 17:33:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 335HXNOc083397; Wed, 5 Apr 2023 17:33:23 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 335HXNMJ083396; Wed, 5 Apr 2023 17:33:23 GMT (envelope-from git) Date: Wed, 5 Apr 2023 17:33:23 GMT Message-Id: <202304051733.335HXNMJ083396@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Po-Chuan Hsieh Subject: git: 4bead352f49a - main - security/py-detect-secrets: Add py-detect-secrets 1.4.0 List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: sunpoet X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 4bead352f49aa8c05252244c2f4a3998b51bd256 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by sunpoet: URL: https://cgit.FreeBSD.org/ports/commit/?id=4bead352f49aa8c05252244c2f4a3998b51bd256 commit 4bead352f49aa8c05252244c2f4a3998b51bd256 Author: Po-Chuan Hsieh AuthorDate: 2023-04-05 17:07:32 +0000 Commit: Po-Chuan Hsieh CommitDate: 2023-04-05 17:29:40 +0000 security/py-detect-secrets: Add py-detect-secrets 1.4.0 detect-secrets is an aptly named module for (surprise, surprise) detecting secrets within a code base. However, unlike other similar packages that solely focus on finding secrets, this package is designed with the enterprise client in mind: providing a backwards compatible, systematic means of: 1. Preventing new secrets from entering the code base, 2. Detecting if such preventions are explicitly bypassed, and 3. Providing a checklist of secrets to roll, and migrate off to a more secure storage. This way, you create a separation of concern: accepting that there may currently be secrets hiding in your large repository (this is what we refer to as a baseline), but preventing this issue from getting any larger, without dealing with the potentially gargantuan effort of moving existing secrets away. It does this by running periodic diff outputs against heuristically crafted regex statements, to identify whether any new secret has been committed. This way, it avoids the overhead of digging through all git history, as well as the need to scan the entire repository every time. --- security/Makefile | 1 + security/py-detect-secrets/Makefile | 23 +++++++++++++++++++++++ security/py-detect-secrets/distinfo | 3 +++ security/py-detect-secrets/pkg-descr | 20 ++++++++++++++++++++ 4 files changed, 47 insertions(+) diff --git a/security/Makefile b/security/Makefile index d277abd90f4d..a45a92d6d43a 100644 --- a/security/Makefile +++ b/security/Makefile @@ -883,6 +883,7 @@ SUBDIR += py-cryptography-vectors SUBDIR += py-ctypescrypto SUBDIR += py-cybox + SUBDIR += py-detect-secrets SUBDIR += py-dfdatetime SUBDIR += py-dfvfs SUBDIR += py-dfwinreg diff --git a/security/py-detect-secrets/Makefile b/security/py-detect-secrets/Makefile new file mode 100644 index 000000000000..73cc35efb8e3 --- /dev/null +++ b/security/py-detect-secrets/Makefile @@ -0,0 +1,23 @@ +PORTNAME= detect-secrets +PORTVERSION= 1.4.0 +CATEGORIES= security python +MASTER_SITES= PYPI +PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} +DISTNAME= detect_secrets-${PORTVERSION} + +MAINTAINER= sunpoet@FreeBSD.org +COMMENT= Tool for detecting secrets in the codebase +WWW= https://github.com/Yelp/detect-secrets + +LICENSE= APACHE20 +LICENSE_FILE= ${WRKSRC}/LICENSE + +RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}yaml>=0:devel/py-yaml@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}requests>=0:www/py-requests@${PY_FLAVOR} + +USES= python:3.7+ +USE_PYTHON= autoplist concurrent distutils + +NO_ARCH= yes + +.include diff --git a/security/py-detect-secrets/distinfo b/security/py-detect-secrets/distinfo new file mode 100644 index 000000000000..bb19926aafda --- /dev/null +++ b/security/py-detect-secrets/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1679498504 +SHA256 (detect_secrets-1.4.0.tar.gz) = d56787e339758cef48c9ccd6692f7a094b9963c979c9813580b0169e41132833 +SIZE (detect_secrets-1.4.0.tar.gz) = 94954 diff --git a/security/py-detect-secrets/pkg-descr b/security/py-detect-secrets/pkg-descr new file mode 100644 index 000000000000..4d4944d57bba --- /dev/null +++ b/security/py-detect-secrets/pkg-descr @@ -0,0 +1,20 @@ +detect-secrets is an aptly named module for (surprise, surprise) detecting +secrets within a code base. + +However, unlike other similar packages that solely focus on finding secrets, +this package is designed with the enterprise client in mind: providing a +backwards compatible, systematic means of: + 1. Preventing new secrets from entering the code base, + 2. Detecting if such preventions are explicitly bypassed, and + 3. Providing a checklist of secrets to roll, and migrate off to a more secure + storage. + +This way, you create a separation of concern: accepting that there may currently +be secrets hiding in your large repository (this is what we refer to as a +baseline), but preventing this issue from getting any larger, without dealing +with the potentially gargantuan effort of moving existing secrets away. + +It does this by running periodic diff outputs against heuristically crafted +regex statements, to identify whether any new secret has been committed. This +way, it avoids the overhead of digging through all git history, as well as the +need to scan the entire repository every time.