Thanks to all our contributors, users, and the many people that make detect-secrets possible!
:heart:
If you love detect-secrets, please star our project on GitHub to show your support! ⭐
We apologise for the extreme delay in publishing a new release for our beloved detect-secrets. We at Yelp appreciate your continued support and your contributions to this valuable project!
- We're adding support for Python 3.10, 3.11 and 3.12 and we dropped support for Python 3.6 and 3.7! We hope this won't be too disruptive for you all. Be aware that in a next release, we'll remove support for Python 3.8 too, as it'll reach EOL in October 2024.
- Added support for OS-agnostic baseline files (#586)
- Added a detector for IP addresses (#692)
- Added a detector for GitLab tokens (#782)
- Added a detector for Telegram tokens (#808)
- Added a detector for Pypi and TestPypi tokens (#819)
- Added a detector for OpenAI tokens (#823)
- Added filenames in errors thrown when a plugin file specified in the
.secrets.baselineis not found. (#719) - Changed the wording of the audit prompt (#738)
- Improved DiscordBotTokenDetector to reduce false negatives (#628)
- Improved KeywordDetector to reduce false positive for Golang (#675)
- Improved AWSKeyDetector by adding more access key formats (#796)
- Fixed
NotImplementedErrorin StatisticsAggregator (#678) - Fixed bug in YAMLTransformer related to parsing YAML files with achors and tags (#679)
- Fixed
IndexErrorinis_prefixed_with_dollar_signcaused by passing empty strings (#712)
- Dropped support for Python 3.6 (#672)
- Dropped support for Python 3.7 (#724)
- Added support for Python 3.10 (#724)
- Added support for Python 3.11 (#730)
- Added support for Python 3.12 (#810)
- Multiple dependency updates
- We're dropping support for Python 3.6 starting v1.5.0! Python 3.6 reached EOL on December 23, 2021 and, therefore, is currently unsupported. We hope this announcement gives you plenty of time to upgrade your project, if needed.
- Improved filtering by excluding secrets that have already been detected by a regex-based detector (#612)
- Added a detector for Discord bot tokens (#614)
- Improved the audit report to make it easier to parse programmatically (#619)
- Improve ArtifactoryDetector plugin to reduce false positives (#499)
- Fixed the verify flow in audit report by adding the code snippet of the verified secret (#620)
- Fixed deploy process to be environment configuration independent (#625)
- Added support for .NET packages.lock.json files in the heuristic filter (#593)
- Multiple dependency updates
- Add Windows operating system to Github CI Action (#528)
- Enable dependabot for automated dependency updates built into GitHub (#531)
- Improve performance for array slice (#555)
- Improve keyword plugin to detect arrow key assignment (#567)
- Add command line argument for
detect-secrets-hookto return output as json (#569)
- Fix regex matching for
npmplugin (#551) - Fix
auditcrashing when secret is not found on specified line (#568) - Fix
# pragma: allowlist nextline secretsecrets not filtered out of result set (#575) - Fix
is_verifiedflag not stored inPotentialSecret(#578)
- Only use ANSI color code in environments that support it (#523)
- Multiple dependency updates
- Make
is_likely_id_stringheuristic filter more strict to avoid eliminating true positives (#526) - Refactor AWS access key regex to minimize false positives (#571)
- Correct spelling errors in code repository (#574)
- Add
py.typedto enable type hints for package consumers (#579)
- New GitHub token plugin added (#465)
- New SendGrid plugin added (#463)
- More new ignored file extensions
- Fixes catastrophic backtracking for indirect reference heuristic (#509)
- Fixes pre-commit hook secret equality checking causing updates to baseline with no real changes - only a timestamp update (#507)
- Fixes python 3.8 failing to load plugins on windows and macos (#505)
- Fixes yaml transformer inline dictionary index out of bounds exceptions (#501)
- Fixes regex for slack url (#477)
- Fixes
AttributeError: 'PotentialSecret' object has no attribute 'line_number'by safely falling back to 0 if line_number isn't present. (#476)(#472) - Fixes gibberish-detector current version
- Fixes filtering ordering in .secrets.baseline
- Updated README due hook failing to interpret filenames with spaces (#470)
- Add CI github action badge to README
- Development dependency bumps (#519)
- New gibberish filter added (#416)
- Multiprocessing support, for faster scans! (#441)
- Support for scanning different directories (rather than the current directory) (#440)
KeywordDetectorsupports whitespace secrets (#414)KeywordDetectornow supports prefix/suffixed keywords, and accuracy updates- Adding alphanumerical filter to ensure secrets have at least one letter/number in them (#428)
- New filter added for ignoring common lock files (#417)
- More new ignored file extensions
- Adding filter to ignore swagger files
- Added
audit --reportto extract secret values with a baseline (#387, thanks @pablosantiagolopez, @syn-4ck)
KeywordDetectornow defaults to requiring quotes around secrets (#448)KeywordDetectornow searches for more keywords (#430)
- Filter caches are cleared when swapping between different
Settingsobjects (#444) - Upgrading baselines from <0.12 migrates
excludetoexclude-filesrather thanexclude-lines(#446)
- More verbose logging, to help with debugging issues (#432)
- YAMLTransformer handles binary entries differently
- Fixes
SecretsCollectionsubtraction method, to handle non-overlapping files. - Fixes installation for Windows environments (#412, thanks @pablosantiagolopez)
KeywordDetectoris no longer case-sensitive.
- Added a concept of "filters", to weed out false positives
- Introduce the concept of "transformers", to standardize file parsing across plugins
- Designed an upgrade system for easy migrations of older baseline versions
- Core engine redesigned to support module usage (rather than just interacting with it through the command line)
- Added a global
Settingsobject for repeatable, serializable, configurations - Introduced dependency injection framework for easy-to-design filters.
Honestly, too many to list out. Check out the original pull request
(#355) for more details. It's safe to assume
that if you interacted with detect-secrets as a module (rather than solely a pre-commit hook
or CLI tool), the APIs have changed (for the better).
However, with the new upgrade infrastructure in place, the baseline files will auto upgrade by themselves. Users that have used it solely as a pre-commit hook or CLI tool may need to consult the "User Facing Changes" for flag renaming.
- Added
NpmDetector(#347, thanks @ninoseki) - Added
AzureStorageKeyDetector(#359, thanks @DariuszPorowski) - Added
SquareOauthDetector(#398, thanks @pablosantiagolopez) - Added
--only-allowlistedflag to scan for inline ignores - Added
--list-all-pluginsto show a list of all plugins available to the engine - Added
--exclude-secretsflag to ignore secrets that match specific regexes (#391, thanks @pablosantiagolopez) - Added
--slimflag to generate baselines that minimize git diffs - Added
--disable-filterto disable specific filters - Added
--disable-pluginto disable specific plugins - Added support for
# pragma: allowlist nextline secretto ignore the following line (#367, thanks @nickiaconis)
- AWS Plugin now scans for secret tokens as well (#397, thanks @pablosantiagolopez)
- The README now includes examples of common usages, features, and an FAQ section for the common questions we often receive as GitHub issues.
- So much better technical documentation!
- Type support added
- Inline allowlisting is respected by regular scans, rather than only pre-commit hook
auditfunctionality improved on Windows machines- git operations now handle file paths with spaces
- fix KeywordDetector hanging on very long lines (#373, thanks @gpflaum)
- Fix a
TypeErrorexception in adhoc string scanning (#336)
- Fixed an
AttributeErrorexception in the pre-commit hook, when on Windows (#321, thanks @JohnNeville)
- Add missing
tuple()conversion that raised aTypeErrorwhen usingscan --update(#317, thanks @shaikmanu797)
- Remove support for Python 2 (#292, big thanks to [@KevinHock]!)
- Add support for custom plugins (#308, big thanks to [@KevinHock]!)
- Make IBM plugins less noisy (#289, thanks to [@killuazhu])
- Display helpful error message when scanning a baseline from a newer
detect-secretsversion (#293, #269)
- Pin coverage version used in testing (#290)
- Adding plugin for IBM's Cloudant (#261, thanks [@killuazhu])
- Adding plugin for IBM Cloud Object Storage HMAC (#263, thanks [@killuazhu])
- Adding Twilio plugin (#267, thanks [@EdOverflow])
- Support for
DETECT_SECRETS_SECURITY_TEAMenvironment variable to customize the pre-commit hook error message (#283, thanks [@0atman])
- Adhoc
HighEntropyStringscanning supports multiple words (#287)
- Rationale for the minor version bump:
- Some accuracy changes that might change baselines significantly
- @OiCMudkips' first release increases spookiness
- It being almost Halloween increases spookiness
- Added a Softlayer plugin (#254, thanks [@killuazhu] and [@justineyster])
- Support URL-safe base64 strings in the base64 plugin (#245)
- Make it easier to add new plugins to detect-secrets (#248)
- Exclude NOPASSWD from the keyword detector (#247, thanks [@security-architecture])
- Ignore lines with
idin them in the high-entropy plugins (#245) - Ignore UUIDs detected by the base64 plugin (#245)
- Fix the signal metric in the audit results view (#251)
- Added a
JwtTokenDetectorplugin (#239, thanks [@gdemarcsek]) - Added verification for Mailchimp API keys
- Added verification for Stripe secret API keys
- Added a
--word-listoption for filtering secrets with words in them (#241, dopip install detect-secrets[word_list]to use this feature)
- Fixed a bug where we were not skipping ignored file extensions
- Fixed a bug in the
auditfunctionality where we crashed if the baseline had a Mailchimp secret in it
- Added a
MailchimpDetectorplugin (#217, thanks [@dgzlopes]) - Added verification for Slack webhooks (#233, thanks [@Patil2099])
- Added handling of binary secrets in YAML files (#223)
- Added various accuracy improvements to the
KeywordDetectorplugin (#229)
- Fixed a bug in the
auditfunctionality where we crashed when the highlighter failed (#228) - Fixed a bug in the
auditfunctionality where there was no (b)ack audit functionality when a secret was not found (#215, thanks [@dgzlopes]) - Fixed a bug where we were not excluding SVG files (#219)
- Added a unique exit code to identify baseline changes (#214, thanks [@lirantal])
- Updated and ran our pre-commit hooks (#221, thanks [@killuazhu])
- Added webhook detection to our
SlackDetectorplugin (#195, thanks [@adrianbn]) - Added support for scanning multiple files (#188, thanks [@dgzlopes])
- Added support for scanning multiple repositories (#193)
- Added verification for AWS access keys and Slack tokens (#194)
- Added an
audit --display-resultsfeature to aid plugin development (#205)
- Improved our Artifactory regex (#195, thanks [@adrianbn])
- Improved sequential string detection to catch the Base64 character set (#207)
- Moved our sequential string detection so it is used by all plugins (#196)
whitelist/blacklisthave been replaced withallowlist/denylist(#178, thanks [@richo]). This includes using# pragma: allowlist secretnow for inline allowlisting.# pragma: whitelist secretcompatibility will be removed in a later major version bump.
- Added a
StripeDetectorplugin (#169, thanks [@dgzlopes]) - Improved handling of un-scannable files (#176, thanks [@dgzlopes])
- Improved documentation of regex based detector's in the README (#177, thanks [@dgzlopes])
- Added an
ArtifactoryDetectorplugin (#157 and #163, thanks [@justineyster]) - Added support for Golang string assignments in the
KeywordDetectorplugin (#162, thanks [@baboateng]) - Added support for XML inline whitelisting comments (#152, thanks [@killuazhu])
- Added support for text after inline whitelisting comments (#168, thanks [@dgzlopes])
- Fixed a bug where filetype detection failed due to an inconsistent
configparserimport (#155, thanks [@Namburgesas])
- Greatly improved the readability of regular expressions in the
KeywordDetectorplugin, and the maintainability of the corresponding test (#160 and #161, thanks [@baboateng]) - Added a contribution guide (#166, thanks [@zioalex])
- Documented all of our inline whitelisting directives (#165 and #172, thanks [@dgzlopes])
- Fixed a bug where the improved performance for high-entropy strings (#144) did not work on Python 2 (#147)
- Added a
--keyword-excludeargument toscan(#132, thanks [@hpandeycodeit])
- For the
KeywordDetectorplugin: made quotes required for secrets in.clsand.javafiles, and skipped{{secrets like this}}in YAML files (#133/#145)
- Improved performance when scanning for high-entropy strings (#144, thanks [@killuazhu])
- Fixed an uncaught
UnicodeEncodeErrorexception in ourinifile parser, when using Python 2 (#143)
- Fixed the example pre-commit configuration in the README (#135, thanks [@nymous]) (#138, thanks [@neunkasulle])
- Refactored some
auditcode intoCodeSnippetandCodeSnippetHighlighterclasses (#137)
- Added a
SlackDetectorplugin (#122, thanks [@killuazhu]) - Added a
--use-all-pluginsargument to--updatethat adds all plugins to the baseline (#124, thanks [@killuazhu]) - Added
--exclude-filesand--exclude-linesarguments toscan(#127)
- Removed the
--excludeCLI scan argument (#127)
- Reduced false-positives by excluding more characters (
!$&\';) in theBasicAuthDetectorregex (#126, #123, thanks [@killuazhu]) - Added more to the
FALSE_POSITIVESdict for theKeywordDetectorplugin, includingpassword(#118)
- Fixed a bug where
--updatewas adding all plugins to the baseline, instead of respecting the plugins used in the baseline (#124, thanks [@killuazhu]) - Fixed an uncaught
UnicodeEncodeErrorexception when scanning non-ini files (e.g. markdown) containing unicode, when using Python 2 (#128, thanks [@killuazhu]) - Fixed a bug where non-ini files (e.g. markdown) containing unicode caused a
UnicodeEncodeErrorexception in theauditfunctionality, when using Python 2 (#129, thanks [@killuazhu]) - Fixed a bug where non-posix end of line characters caused a "Secret not found on line...." error in the
auditfunctionality (#120, thanks [@killuazhu]) - Fixed a bug where
scan_diff, called bydetect-secrets-server, was ignoring inlinepragma: whitelist secretcomments (#127)
- Relaxed the number of spaces before inline
pragma: whitelist secretcomment (#125, thanks [@killuazhu]] - Added Python 3.7 to Travis CI and
tox.initesting (#114, thanks [@cclauss]) - Increased minimum test coverage from 97% to 98%
- Fixed a bug where we were adding an extra-newline in
detect-secrets scanoutput (#111)
- Reorganized the code, mainly creating a
common/directory (#113)
- Turned the
KeywordDetectorplugin back on, with new regexes and accuracy improvements (#86) - Added an
AWSAccessKeyDetectorplugin (#100) - Added the ability to scan
.initypes files that don't have a header (#106)
- Add blacklisting of PGP private key headers in
PrivateKeyDetectorplugin (#104) - Reduced false-positives by improving
BasicAuthDetectorplugin regex (#98)
- Fixed a bug where we were not showing removed lines in the
auditfunctionality (#98)
- Added whitelist directive regexes to match against inline comment syntaxes in more languages (#105)
- Refactored various detectors to use
RegexBasedDetector(#103) - Refactored the
BashColorsingleton into thecolorizefunction (#109) - Small improvements to existing file parsers (#107)
- Refactored the
BasePluginto use theWHITELIST_REGEX(#99) - Removed
unidifffrom standard dependencies (#101)
- Made the pre-commit hook automatically update the baseline (#96)
- Added the
audit --difffunctionality (#95)
- Added display of secret type in audit functionality (#94)
- Added a "Please git add the baseline" message (#89)
- Improved the "Unable to open baseline file" message (#91)
- Update
scan --updateresults to only propagateis_secretof new secrets (#90)
- Disabled
KeywordDetectorplugin temporarily (#89)
- Ordered baseline hashes, for better diffs (#84)
- Added a "Please git add the baseline" message (#89)
- Improved error messages for pre-commit hook (#85)
- Fixed a couple bugs in the
auditfunctionality, one for small files and the other case-sensitivity in theKeywordDetectorplugin (#83, thanks [@jkozera])
- Added a
KeywordDetectorplugin, that was horrible and regretful (#76)
- Fixed a bug in
scan --updatewhere we would append the baseline exclude regex to itself (#78) - Fixed the regular expression in the
BasicAuthDetectorplugin so that it didn't run forever (#80) - Removed trailing whitespace from
scanoutput (#78)
- Added command line hints and baseline clarification in the README (#81, thanks [@JoshuaRLi])
- Added a (b)ack option to 'Is this a valid secret?' (#72, thanks [@cleborys])
- Added a
BasicAuthDetectorplugin (#74) - Added CLI functionality to check strings in an adhoc manner (#73)
- Added a check to only load json from stdin if it exists (#69, thanks [@guykisel])
- Fixed a typo in the README (#68, thanks [@whathejoe])
- Fixed a bug where we didn't skip sequential strings when we should have (#67)
- Changed
--auditand--scantoauditandscan(#51) - Changed
scan --import <baseline>toscan --update <baseline>(#58)
- Reduced false-positives caused by sequential strings, e.g.
ABCDEF(#64)
- Fixed a bug where the pre-commit code would remove the
is_secretattribute from audited baselines (#65) - Fixed an
auditbug where we would crash if a file in the baseline did not exist (#56) - Improved the
auditfunctionality to handle short files better (#48)
- Fixed numbering system with interactive audit
- Fixed "leapfrog" edge case for audit functionality (#47)
- Added ability to migrate baselines from an older version to a newer version
- Added functionality to audit baseline, to distinguish difference between false and true positives in the baseline file (#44)
- Upgraded
PrivateKeyPlugin: more search parameters, more lines searched, and secret hash created using payload (rather than the entire line content)
- Differentiate between
Base64HighEntropyStringsandHexHighEntropyStringsthroughsecret_type(#26) - Got rid of
SensitivityValuesas a means to store plugin configs
- Improved the heuristic for
HexHighEntropyStrings, reducing the false positive rates for large numbers identified in code
- Baseline always outputs in sorted order now, to prevent unnecessary diffs (#25)
- Escape exclude regex statements before compilation (#39)
- Fixed case where details of plugins used were not included in the baseline, when the pre-commit hook updated it (#40)
- Simplified logging by removing
CustomLog(#46)
- Allow scanning of non-git files (#18)
- Improved scanning of INI config files with
HighEntropyString(#13 and #17) - Improved scanning of YAML files with
HighEntropyString(#16)
- Fixed
PrivateKeyDetectorplugin analyze results' representation (#15)