feat(security): add pre-commit hooks for secret detection #50
Conversation
- Add gitleaks for hardcoded secrets detection - Add detect-aws-credentials hook - Add .gitleaks.toml for custom rules (AI/LLM API keys)
Summary of ChangesHello @XiaoBoAI, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly bolsters the project's security by implementing automated secret detection mechanisms. By integrating new pre-commit hooks, the system will now proactively identify and prevent the accidental inclusion of sensitive credentials and API keys, including those specific to AI/LLM services, directly into the codebase. This helps maintain a cleaner and more secure repository. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces pre-commit hooks for secret detection using gitleaks and detect-aws-credentials, which is a great security enhancement. The custom gitleaks configuration is well-structured, but some of the regular expressions for key detection can be improved for better accuracy and maintainability. I've provided suggestions to make the regex patterns more specific to the key formats they are targeting, which will help reduce false positives and ensure real secrets are caught. I also recommend removing one custom rule that is less specific than the default gitleaks rule it overrides.
.gitleaks.toml
Outdated
| [[rules]] | ||
| id = "openai-project-key" | ||
| description = "OpenAI Project API Key" | ||
| regex = '''sk-proj-[a-zA-Z0-9_-]{80,}''' |
There was a problem hiding this comment.
The regex for OpenAI Project API keys is incorrect. Project keys have a fixed length of 48 alphanumeric characters following the sk-proj- prefix, for a total of 56 characters. The current regex looks for a minimum of 80 characters and incorrectly includes _ and - as valid characters in the key.
regex = '''sk-proj-[a-zA-Z0-9]{48}'''
.gitleaks.toml
Outdated
| [[rules]] | ||
| id = "anthropic-api-key" | ||
| description = "Anthropic API Key" | ||
| regex = '''sk-ant-[a-zA-Z0-9-_]{80,}''' | ||
| keywords = ["sk-ant-"] |
There was a problem hiding this comment.
This custom rule for Anthropic API keys overrides the default gitleaks rule with a less specific pattern. Since useDefault = true is set, it's better to remove this custom rule and rely on the more precise default rule (sk-ant-api03-[a-zA-Z0-9-_=]{95}). This will improve detection accuracy and reduce potential false positives.
.gitleaks.toml
Outdated
| [[rules]] | ||
| id = "alibaba-cloud-access-key" | ||
| description = "Alibaba Cloud Access Key ID" | ||
| regex = '''(?i)(?:alibaba|aliyun|acs)[-_]?(?:access)?[-_]?key[-_]?(?:id)?\s*[=:]\s*['"]?(LTAI[a-zA-Z0-9]{12,})['"]?''' |
There was a problem hiding this comment.
The regex for Alibaba Cloud Access Key ID is a bit too loose. These keys have a fixed length, starting with LTAI followed by 20 alphanumeric characters. Making the regex more specific will improve accuracy.
regex = '''(?i)(?:alibaba|aliyun|acs)[-_]?(?:access)?[-_]?key[-_]?(?:id)?\s*[=:]\s*['"]?(LTAI[a-zA-Z0-9]{20})['"]?'''
.gitleaks.toml
Outdated
| [[rules]] | ||
| id = "huggingface-token" | ||
| description = "HuggingFace API Token" | ||
| regex = '''hf_[a-zA-Z0-9]{30,}''' |
There was a problem hiding this comment.
The regex for HuggingFace API tokens can be more specific. These tokens consist of hf_ followed by 35 alphanumeric characters. A more precise regex will reduce the chance of false positives.
regex = '''hf_[a-zA-Z0-9]{35}'''
.gitleaks.toml
Outdated
| [[rules]] | ||
| id = "generic-api-key-assignment" | ||
| description = "Generic API Key Assignment" | ||
| regex = '''(?i)(?:api[-_]?key|apikey|secret[-_]?key|auth[-_]?token|access[-_]?token)\s*[=:]\s*['"]([a-zA-Z0-9_\-]{32,})['"]''' |
There was a problem hiding this comment.
In the character set [a-zA-Z0-9_\-], the hyphen - does not need to be escaped when it's at the end of the set. Removing the unnecessary backslash improves readability.
regex = '''(?i)(?:api[-_]?key|apikey|secret[-_]?key|auth[-_]?token|access[-_]?token)\s*[=:]\s*['"]([a-zA-Z0-9_-]{32,})['"]'''
- Remove openai-api-key, openai-project-key, anthropic-api-key rules (conflict with more accurate default gitleaks rules) - Remove alibaba-cloud and huggingface rules (already in defaults) - Keep only dashscope-api-key (Qwen specific, not in defaults)
helloml0326
requested review from
XieLipeng0830,
helloml0326,
ployts and
weizhang25
OpenJudge Version
[The version of OpenJudge you are working on, e.g.
import openjudge; print(openjudge.__version__)]Description
[Please describe the background, purpose, changes made, and how to test this PR]
Checklist
Please check the following items before code is ready to be reviewed.
pre-commit run --all-filescommand