Integrate secretlint to detect and prevent credential leaks

[husnain067]

Feature Pull Request

Branch Naming Convention

Current branch: feature/integrate-secretlint

Related Issue

Closes #201

Feature Description

Previously, our project lacked automated detection for secrets and credentials in the codebase. This poses a significant security risk as developers might accidentally commit sensitive information like API keys, passwords, or tokens. We need a reliable mechanism to scan for credentials in the project, report them, and prevent committing such sensitive data.

Implementation Details

Integrate secretlint into the py-launch-blueprint project with the following capabilities:

• Add secretlint configuration file with appropriate rules for our project.
• Implement secretlint in the existing justfile to allow running manually via command: just lint-secrets.
• Add secretlint to the pre-commit hook to prevent committing files containing credentials.

TODO:
1: Add GitHub Actions workflow for secretlint. (In a separate PR)
2: Add documentation guide. (In a separate PR)

Changes Made

• Add secretlint configuration file
• Add just commands for testing
• Add secretlint to the pre-commit hook.

Testing Performed

• Manually test the secretlint configuration working
• Manually test the pre-commit-hook working with secretlint.
• Manually test the just command for secretlint.

Pre-commit and Testing Instructions

1: Setup Instructions for Secretlint

• Make sure you have Node.js and npm installed because Secretlint is a Node.js-based tool.
  just install-nvm
• Setting up and verifying NVM configuration.
  setup-nvm-path
• Install secretlint dependencies
  just install-secretlint

2: Verify commands work

• just lint-secrets
• just pre-commit-run

3: Local testing
1: Create a new test file anywhere inside the project, for example test_secrets.py, and add the following secrets snippet.

# GitHub
github_token = "ghp_1234567890abcdefghijklmnopqrstuvwxyz12"

# Slack  
slack_token = "xoxb-1234567890-1234567890-abcdefghijklmnopqrstuvwx"

# Private key
private_key = """-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1234567890abcdef

4: Run again to verify secretlint detects these secrets

• just lint-secrets
• just pre-commit-run
  5: if it detects the secret keys in the file, it's working, and that's the goal.

Documentation Updates

N/A (will do in a separate PR)

Breaking Changes

Checklist

• Branch name follows convention (feature/description or feature/issue-number-description)
• Testing added to pre-commit hook (pre-commit run --all-files passes)
• Testing added to CI/CD pipeline in GitHub Actions
• Documentation added/updated in Sphinx
• Appropriate unit test coverage added (run pytest --cov to verify)
• New commands added to CLI (if applicable)
• Code follows project style guidelines (flake8 or equivalent passes)
• All tests pass locally and in CI
• Self-review of code performed
• No debug print statements or commented-out code left in the codebase

Reviewer Notes

---

Important

Integrate secretlint into the project for detecting and preventing credential leaks, with configuration, justfile commands, and pre-commit hook updates.

• Integration:
  • Add secretlint configuration in .secretlintrc.json with recommended rules.
  • Add .secretlintignore to exclude common directories like .venv/, __pycache__/, and node_modules/.
  • Update package.json to include secretlint and @secretlint/secretlint-rule-preset-recommend as dev dependencies.
• Justfile Updates:
  • Add install-secretlint command to install secretlint using npm.
  • Add lint-secrets command to run secretlint on all files.
  • Add install-nvm and setup-nvm-path commands for Node.js environment setup.
• Pre-commit Hook:
  • Modify .pre-commit-config.yaml to include secretlint in the pre-commit hook setup.
• Testing:
  • Manual tests for secretlint configuration, pre-commit hook, and just commands were performed.

^{This description was created by for df12835. You can customize this summary. It will automatically update as commits are pushed.}

---

Summary by CodeRabbit

• New Features

  • Introduced secret scanning to the project, allowing detection of sensitive information in source files.
  • Added configuration files to customize and ignore specific directories during secret scanning.
  • Provided commands for installing and running secret scanning tools.

• Chores

  • Updated development dependencies and pre-commit hooks to support secret scanning.
  • Improved setup instructions for Node.js environment and related tooling.
  • Enhanced version control settings to exclude common dependency folders from tracking.

[coderabbitai]

"""

Walkthrough

Secretlint is integrated into the project to detect and prevent credential leaks. Configuration files for secretlint are added, .gitignore is updated to exclude node_modules/, and pre-commit hooks are enhanced to run secretlint checks. The Justfile is expanded with recipes for installing and running secretlint, and a package.json is introduced for managing secretlint dependencies.

Changes

Files/Groups	Change Summary
.gitignore, .secretlintignore	Added node_modules/ to ignored directories; new secretlint ignore file excludes common non-source dirs.
.pre-commit-config.yaml	Removed a blank line in comments; no functional changes.
.secretlintrc.json	Added secretlint configuration with recommended rule preset.
Justfile	Added recipes for installing NVM, secretlint, setting up environment paths, running secretlint; added alias.
package.json	Added devDependencies for secretlint and @secretlint/secretlint-rule-preset-recommend.

Sequence Diagram(s)

sequenceDiagram
    participant Developer
    participant Pre-commit Hook
    participant Secretlint
    participant Justfile

    Developer->>Pre-commit Hook: Attempt to commit code
    Pre-commit Hook->>Secretlint: Run secretlint on staged files
    Secretlint-->>Pre-commit Hook: Report issues if secrets found
    Pre-commit Hook-->>Developer: Block commit if secrets detected

    Developer->>Justfile: Run 'just lint-secrets'
    Justfile->>Secretlint: Execute secretlint on all files
    Secretlint-->>Justfile: Output results

Loading

Assessment against linked issues

Objective	Addressed	Explanation
Add secretlint configuration file with appropriate rules (#201)	✅
Implement secretlint in Justfile for manual run (#201)	✅
Add secretlint to pre-commit hook to prevent credential leaks (#201)	✅
Configure secretlint in CI/CD pipeline to scan for credentials (#201)	❌	No CI/CD pipeline or GitHub Actions configuration changes are present in this PR.
Add documentation on how to use secretlint and what secrets it detects (#201)	❌	No documentation updates or Sphinx changes are included.

Poem

In the warren of code, secrets may hide,
But with secretlint, we scan far and wide.
Pre-commit guards, Justfile commands—
No credentials slip through our diligent hands!
🐇✨
Now our project is safe, so hop on with pride,
For bunnies and builders, security’s on our side!
"""

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ed789df and df12835.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• Justfile (2 hunks)
• package.json (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• package.json
• Justfile

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: continuous-integration (3.10)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.
• ⚠️ 2 packages with OpenSSF Scorecard issues.

View full job summary

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to 5c2f712 in 56 seconds. Click for details.

• Reviewed 80 lines of code in 6 files
• Skipped 2 files when reviewing.
• Skipped posting 4 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. .pre-commit-config.yaml:53

• Draft comment:
  Ensure that 'npx secretlint --maskSecrets' (with pass_filenames: true) properly accepts file arguments. Confirm its behavior on various file types.
• Reason this comment was not posted:
  Confidence changes required: 33% <= threshold 50% None

2. Justfile:152

• Draft comment:
  The 'lint-secrets' command here lacks the '--maskSecrets' flag used in the pre-commit hook. For consistency, consider adding it.
• Reason this comment was not posted:
  Confidence changes required: 33% <= threshold 50% None

3. Justfile:152

• Draft comment:
  Using '**/*' may scan more files than necessary. Consider narrowing the glob to relevant file types to improve performance.
• Reason this comment was not posted:
  Confidence changes required: 33% <= threshold 50% None

4. .secretlintrc.json:1

• Draft comment:
  The minimal secretlint configuration is adequate. As an enhancement, you might consider extending the rules for more robust detection if needed.
• Reason this comment was not posted:
  Confidence changes required: 33% <= threshold 50% None

Workflow ID: wflow_NjVMm5zMPxS9Bd8r

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

test.txt (1)

1-1: Suggest clarifying test secret file
test.txt includes a fake AWS key to verify secretlint detection, but naming it as .env.example or sample.secret.txt could clarify its purpose and follow common conventions for placeholder credentials.

package.json (1)

3-4: Review version pinning and add npm script
The devDependencies are pinned with ^9.3.3. Consider either locking to an exact patch release for reproducibility or scheduling regular dependency updates.
Also, adding a "scripts": { "lint:secrets": "secretlint --maskSecrets" } section would let contributors run npm run lint:secrets alongside the Justfile recipe.

.secretlintignore (1)

2-5: Extend ignore patterns
You’ve excluded key dirs (.venv/, __pycache__/, node_modules/, .git/), but consider mirroring other entries from .gitignore—such as build/, dist/, and docs/build/—to avoid scanning generated artifacts.

Justfile (1)

150-157: Secretlint recipe implementation looks good with minor suggestions.

The implementation correctly uses npx --yes for auto-installation and has proper error handling. However, consider these optimizations:

1. The "**/*" pattern scans all files, which might be less efficient than letting secretlint use its .secretlintignore configuration.
2. The alias ls could be confusing since it conflicts with the common Unix ls command.

Consider this alternative implementation:

-    npx --yes secretlint "**/*" && echo "✅ Secretlint completed successfully." || (echo "❌ Secretlint found issues!" && exit 1)
+    npx --yes secretlint . && echo "✅ Secretlint completed successfully." || (echo "❌ Secretlint found issues!" && exit 1)

And consider a more descriptive alias:

-alias ls := lint-secrets
+alias lsec := lint-secrets

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dc5c9e9 and 5c2f712.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (7)

• .gitignore (1 hunks)
• .pre-commit-config.yaml (1 hunks)
• .secretlintignore (1 hunks)
• .secretlintrc.json (1 hunks)
• Justfile (1 hunks)
• package.json (1 hunks)
• test.txt (1 hunks)

🔇 Additional comments (3)

.gitignore (1)

25-27: Approve ignoring node_modules
Adding the #other modules section and ignoring node_modules/ is correct given the new Node.js dependencies introduced for secretlint.

.secretlintrc.json (1)

2-5: Approve secretlint rule configuration
Using the @secretlint/secretlint-rule-preset-recommend preset is a solid baseline. Ensure that any project-specific rules or severity overrides are added as needed in future updates.

.pre-commit-config.yaml (1)

51-60: Excellent pre-commit hook configuration for secretlint.

The implementation is well-designed with:

• --maskSecrets flag for secure output handling
• Appropriate file type targeting with regex pattern
• Proper exclusion of common non-source directories
• Correct use of pass_filenames: true for efficient file processing
• types: [text] ensures only text files are processed

This provides a good balance between security coverage and performance for pre-commit hooks.

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed 291b887 in 1 minute and 10 seconds. Click for details.

• Reviewed 30 lines of code in 1 files
• Skipped 0 files when reviewing.
• Skipped posting 2 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. Justfile:89

• Draft comment:
  Secretlint dependency check added to the check-deps recipe looks good. Consider whether missing secretlint should cause a non-zero exit (consistent with other tool checks) rather than only a warning.
• Reason this comment was not posted:
  Confidence changes required: 33% <= threshold 50% None

2. Justfile:153

• Draft comment:
  The install-secretlint recipe is implemented correctly. Ensure that the project documentation covers the Node.js and npm prerequisites required for secretlint.
• Reason this comment was not posted:
  Confidence changes required: 0% <= threshold 50% None

Workflow ID: wflow_2biH5X7sZjz8VY9Q

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[smorin]

add install of npm to the makefile and add to the dependency check. Use nvm to install npm

[smorin]

Note @husnain067 nvm can't be detected with which command since it's not a commandline command but rather a bash/zsh function that runs on the command line. I wasted a lot of time learning that.

# Install nvm node version manager
[group('install')]
install-nvm:
    @echo "Installing nvm"
    @if [ ! -f "$HOME/.zshrc" ]; then \
        echo "{{CROSS}} ~/.zshrc not found - creating..."; \
        touch "$HOME/.zshrc"; \
    fi
    @source ~/.zshrc && if [ ! -d "$HOME/.nvm" ]; then \
        echo "{{CROSS}} NVM directory not found - installing..."; \
        curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash; \
        source ~/.zshrc; \
    elif ! grep -q "export NVM_DIR=\"\$HOME/.nvm\"" "$HOME/.zshrc"; then \
        echo "{{CROSS}} NVM configuration not found in .zshrc"; \
        just setup-nvm-path; \
        source ~/.zshrc; \
    elif ! type nvm > /dev/null 2>&1; then \
        echo "{{YELLOW}}NVM installed but not loaded - loading configuration...{{NC}}"; \
        echo "{{RED}}Please fix NVM loading or path before continuing{{NC}}"; \
        echo "nvm is bash function, not executable"; \
        exit 1; \
    else \
        echo "{{CHECK}} NVM is properly installed and configured"; \
    fi
    @echo "Installing latest node..."
    just generate-just-completions
    # load nvm which is a bash function
    source ~/.zshrc; \
    nvm install node; \
    nvm use node; \
    npm install -g npm@latest 

Example setting up the env

# Setup NVM configuration in .zshrc
[group('configure')]
setup-nvm-path:
    @echo "Setting up NVM configuration in .zshrc"
    @if ! grep -q "export NVM_DIR=\"\$HOME/.nvm\"" "$HOME/.zshrc"; then \
        echo "export NVM_DIR=\"\$HOME/.nvm\"" >> "$HOME/.zshrc"; \
        echo "[ -s \"\$NVM_DIR/nvm.sh\" ] && \. \"\$NVM_DIR/nvm.sh\"  # This loads nvm" >> "$HOME/.zshrc"; \
        echo "[ -s \"\$NVM_DIR/bash_completion\" ] && \. \"\$NVM_DIR/bash_completion\"  # This loads nvm bash_completion" >> "$HOME/.zshrc"; \
        echo "{{CHECK}} Added NVM configuration to .zshrc"; \
    else \
        echo "{{CHECK}} NVM configuration already exists in .zshrc"; \
    fi

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed 17a77e2 in 1 minute and 21 seconds. Click for details.

• Reviewed 21 lines of code in 1 files
• Skipped 1 files when reviewing.
• Skipped posting 1 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. .pre-commit-config.yaml:50

• Draft comment:
  The secretlint hook configuration has been removed from the pre-commit config. The PR description specifies that secretlint should be added to the pre-commit hook. Please clarify if this removal is intentional or if the hook should be added back.
• Reason this comment was not posted:
  Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 10% vs. threshold = 50% The comment violates several rules: 1) It asks for clarification about intention ("Please clarify if...") 2) It references the PR description which we're told to ignore 3) It's asking the author to confirm something rather than pointing out a clear issue 4) We're told to assume file changes are intentional by default. Maybe the secretlint hook is a critical security feature that shouldn't be removed without replacement? While security is important, we don't have enough context to know if this is critical or if there's a replacement elsewhere. Our rules state we should assume changes are intentional and not make speculative comments. The comment should be deleted as it violates multiple rules about asking for clarification and assuming changes aren't intentional.

Workflow ID: wflow_r0Of0Z5Kqy75PooC

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed df12835 in 1 minute and 19 seconds. Click for details.

• Reviewed 13 lines of code in 1 files
• Skipped 1 files when reviewing.
• Skipped posting 1 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. package.json:3

• Draft comment:
  Version bump for secretlint dependencies to ^9.3.4 looks correct. Ensure that this change is aligned with the configuration and pre-commit updates.
• Reason this comment was not posted:
  Confidence changes required: 0% <= threshold 50% None

Workflow ID: wflow_G3DzUu6Y0kkQvBvz

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}