Remove .secrets.baseline #169
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was generated as part of the initial commit and hasn't been touched since. It's a config file for [detect-secrets][1] which is a pre-commit hook scanning tool looking for stuff that looks a bit like secrets and catching them before you commit and send them to github repos. Two reasons we're removing this: 1. Detect Secrets and Pre-commit hooks do not appear to be widely used by this team, nor integrated into our documentation. If we think there's value in this approach we should look at bringing it back alongside a wider bit of team training, and with a view to our README.md and onboarding. 2. We can effectively deem this repository as a low risk for secrets leakage, whilst it does have a deployment element and there is always a risk there, most of the changes are content related. Those with access to keys that could be leaked are small in number. Were we to spot any leakage, it's those same folks who could quickly rotate keys. And this is not an application that contains PII. Worst case we can blow it away and redeploy as a static site. That's not to preclude us looking at a better security threat assessment here, just to say that for now it's not a burning priority here and if we change our mind we should bring it back as part of a fuller implimentation. [1]: https://github.com/Yelp/detect-secrets
andyloughran
approved these changes
Jan 31, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes: #162
This file was generated as part of the initial commit and hasn't been touched since.
It's a config file for detect-secrets which is a pre-commit hook scanning tool looking for stuff that looks a bit like secrets and catching them before you commit and send them to github repos.
Two reasons we're removing this:
Detect Secrets and Pre-commit hooks do not appear to be widely used by this team, nor integrated into our documentation. If we think there's value in this approach we should look at bringing it back alongside a wider bit of team training, and with a view to our README.md and onboarding.
We can effectively deem this repository as a low risk for secrets leakage, whilst it does have a deployment element and there is always a risk there, most of the changes are content related. Those with access to keys that could be leaked are small in number. Were we to spot any leakage, it's those same folks who could quickly rotate keys. And this is not an application that contains PII. Worst case we can blow it away and redeploy as a static site.
That's not to preclude us looking at a better security threat assessment here, just to say that for now it's not a burning priority here and if we change our mind we should bring it back as part of a fuller implimentation.
Technical writer support
More tooling for around the repo
How to review
Check you understand what's been removed, why, and that you agree.