Pre-commit experiment to detect secrets leakage before a PR is made.

[phad]

Jira Ticket

DCMAW-XXXXX

Description of changes

Added:

• .pre-commit-config.yaml - this configures pre-commit with the set of
  detections we want to perform when adding a new commit
• .secrets.baseline - this configures the Yelp secrets detector

Review guidance

Review checklist

Functional Review

• Functionality: Does it meet the acceptance criteria on the ticket and work as expected?
• Requirements: Does the code meet functional and non-functional requirements including compliance with programme standards and security gates?

Security & Compliance

• Personally Identifiable Information: Is it possible for PII to be logged?
• Security Considerations: Are there any security implications that need to be addressed?

Quality Assurance

• Testing: Is the code well-tested with sufficient coverage to provide confidence in correctness?
• Edge Cases: Have edge cases been considered and handled appropriately?

Code Quality

• Readability: Is the code easy to understand for all team members, with clear naming and appropriate documentation?
• Maintainability: Is the code easy to change, reuse, and extend?
• Code Style: Does it follow our coding conventions and best practices?
• Code Quality: Is the code maintainable and following best practices? See Values, Principles & Practices

Observability & Operations

• Observability: Are there appropriate logs/metrics that would help debug and monitor the service?
• Performance: Are there any performance considerations or potential bottlenecks?
• Runbooks for Alarms: If an alarm has been created or updated, has a corresponding runbook been created or updated?
  • Critical alarms runbook
  • Warning alarms runbook

Documentation

• Documentation: Is the code well documented? Is there any existing documentation that needs updating?
• Comments: Are complex sections of code adequately commented if the intent is not clear?

Review PR:

• Title: Contains ticket number and clear summary of change
• Description: Has clear description of change

Evidence

When a commit is attempted with a faked Github token, git commit causes the hook to run, and we see;

➜ git commit -m "whitespace fix"
detect private key.......................................................Passed
Detect secrets...........................................................Failed
- hook id: detect-secrets
- exit code: 1

ERROR: Potential secrets about to be committed to git repo!

Secret Type: GitHub Token
Location:    README.md:6

Possible mitigations:
  - For information about putting your secrets in a safer place, please ask in
    #security
  - Mark false positives with an inline `pragma: allowlist secret`
    comment

If a secret has already been committed, visit
https://help.github.com/articles/removing-sensitive-data-from-a-repository

Documentation