From be6df5843465b3e5404bca3c8903e8ce00ad0c6a Mon Sep 17 00:00:00 2001
From: mschwoerer <82171591+mschwoer@users.noreply.github.com>
Date: Thu, 12 Sep 2024 16:20:30 +0200
Subject: [PATCH 1/2] add detect-secrets

---
 .pre-commit-config.yaml |   7 ++
 .secrets.baseline       | 164 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 171 insertions(+)
 create mode 100644 .secrets.baseline

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 60d64761..28222ea9 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -12,3 +12,10 @@ repos:
   hooks:
     - id: ruff-format
 #    - id: ruff
+-   repo: https://github.com/Yelp/detect-secrets
+    rev: v1.5.0
+    hooks:
+    -   id: detect-secrets
+        # exclude-lines are to avoid false positives in notebooks
+        args: ['--baseline', '.secrets.baseline', '--exclude-lines', '"(hash|id|image/\w+)":.*' ]
+        exclude: testfiles
diff --git a/.secrets.baseline b/.secrets.baseline
new file mode 100644
index 00000000..854fbfdf
--- /dev/null
+++ b/.secrets.baseline
@@ -0,0 +1,164 @@
+{
+  "version": "1.5.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "GitLabTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "IPPublicDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "OpenAIDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "PypiTokenDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TelegramBotTokenDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".secrets.baseline"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    },
+    {
+      "path": "detect_secrets.filters.regex.should_exclude_file",
+      "pattern": [
+        "testfiles"
+      ]
+    },
+    {
+      "path": "detect_secrets.filters.regex.should_exclude_line",
+      "pattern": [
+        "\"(hash|id|image/\\w+)\":.*"
+      ]
+    }
+  ],
+  "results": {
+    "alphastats/gui/utils/ollama_utils.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "alphastats/gui/utils/ollama_utils.py",
+        "hashed_secret": "8ed4322e8e2790b8c928d381ce8d07cfd966e909",
+        "is_verified": false,
+        "line_number": 68,
+        "is_secret": false
+      }
+    ],
+    "docs/workflow_mq.html": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "docs/workflow_mq.html",
+        "hashed_secret": "a5b0e1471957df2229fa14577e981cf10a0e8f28",
+        "is_verified": false,
+        "line_number": 19,
+        "is_secret": false
+      }
+    ]
+  },
+  "generated_at": "2024-09-12T14:19:09Z"
+}

From 68098160d8a371a502ab60fadcfeb41c1d8d60e1 Mon Sep 17 00:00:00 2001
From: mschwoerer <82171591+mschwoer@users.noreply.github.com>
Date: Thu, 12 Sep 2024 16:20:41 +0200
Subject: [PATCH 2/2] add secrets.toml to gitignore

---
 .gitignore | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.gitignore b/.gitignore
index 544c5e5d..afd7be54 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,3 +15,5 @@ build_pyinstaller
 .vscode
 
 **/.ipynb_checkpoints
+
+**/*secrets.toml