Feature Type

New Functionality

Priority/Impact

High

Problem Statement

Our project currently lacks automated detection for secrets and credentials in the codebase. This poses a significant security risk as developers might accidentally commit sensitive information like API keys, passwords, or tokens. We need a reliable mechanism to scan for credentials in the project, report them, and prevent committing such sensitive data.

Requires Proposal

No, straightforward implementation

Proposed Solution

Integrate secretlint (https://github.com/secretlint/secretlint) into the py-launch-blueprint project with the following capabilities:

1. Add secretlint configuration file with appropriate rules for our project
2. Implement secretlint in the existing justfile to allow running manually via command: just lint-secrets
3. Add secretlint to the pre-commit hook to prevent committing files containing credentials
4. Configure secretlint in the CI/CD pipeline to scan for credentials during automated builds
5. Add documentation on how to use secretlint and what types of secrets it detects

This will enable:

• Scanning for credentials in the project and reporting them
• Preventing the commit of files containing credentials via pre-commit hook
• Regular scanning in CI to catch any issues that might have been missed

Research Needed

Yes

Research Details

Please review all of the following criteria that must be met for this feature to be considered complete:

Technical Requirements:

• Testing is added to the pre-commit hook
• Testing is added to the CI/CD pipeline in the GitHub Actions
• Documentation is added and updated into the documentation in Sphinx
• There is appropriate unit test coverage
• Command has been added (if necessary)

Example config

Acceptance Criteria Confirmation

Yes

Pre-submission Confirmation

Yes