This repository represents a simple example of how you can use detect-secrets-docker along with your Google's Cloud Build
The basefiles are already added to the repository
Using detect-secrets-docker, push the CI docker image using the following command (replacing with the project id):
docker push gcr.io/{GCP_PROJECT_ID}/detect-secrets-docker-ci:latest
An example of passed and failed builds:
Cloud Build uses either a Dockerfile, or a YAML file. You can use the provided cloudbuild.yaml
file as-is, but feel free to amend it as necessary to suit your usage.
Note that the configuration consists of two steps. The first is to unshallow the repository (Cloud Build fetchs a shallow clone of the repository for the build pipeline). This is required for comparisons of files to detect for secrets
The second step is to validate for the presence of secrets!
If a secret is found, you'll see something like the following, with a helpful message on the affected lines where the secrets are:
Remove the affected lines of code, or update your baseline files, and your builds should pass !