diff --git a/README.md b/README.md index 09eaade..575d472 100644 --- a/README.md +++ b/README.md @@ -81,6 +81,10 @@ to produce a complete package. This runs all the phases necessary, including com - `install` - install into your local repository - `deploy` - deploy to a remote repository — note that the Roundup action does this automatically for releases +#### :guardsman: Secrets Detection Setup and Update +The PDS uses [Detect Secrets](Detect Secrets](https://nasa-ammos.github.io/slim/docs/guides/software-lifecycle/security/secrets-detection/)) to help prevent committing information to a repository that should remain secret. + +For Detect Secrets to work, there is a one-time setup required to your personal global Git configuration, as well as several steps to create or update the **required** `.secrets.baseline` file needed to avoid false positive failures of the software. See [the wiki entry on Detect Secrets](https://github.com/NASA-PDS/nasa-pds.github.io/wiki/Git-and-Github-Guide#detect-secrets) to learn how to do this. #### 🪝 Pre-Commit Hooks @@ -94,23 +98,7 @@ $ source .venv/bin/activate # Use source .venv/bin/activate.csh if you're usin $ pip install pre-commit git+https://github.com/NASA-AMMOS/slim-detect-secrets.git@exp ``` -You can then establish a secrets baseline in your Maven-based repository: - - detect-secrets scan . \ - --all-files \ - --disable-plugin AbsolutePathDetectorExperimental \ - --exclude-files '\.secrets..*' \ - --exclude-files '\.git.*' \ - --exclude-files '\.pre-commit-config\.yaml' \ - --exclude-files 'target' > .secrets.baseline - -Review the secrets to determine which should be allowed and which are false positives: - - detect-secrets audit .secrets.baseline - -Please remove any secrets that should not be seen by the public. You can then add the baseline file to the commit: - - git add .secrets.baseline +See Detect Secrets information above to setup your secrets baseline prior to proceeding. Finally, install the pre-commit hooks: