-
-
Notifications
You must be signed in to change notification settings - Fork 452
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(no-secrets): V2 #4118
base: main
Are you sure you want to change the base?
feat(no-secrets): V2 #4118
Conversation
I'll defer to the other maintainers for their opinions on adding a dependency for this. For the proposed options: We generally try to avoid adding options for the sake of adding options. We need an appropriate amount of demand (from users) and justification to determine the correct granularity and scope of those options.
Personally, I think a dedicated tool is probably going to have better heuristics than we will, at least in the short term. Plus, we don't take commit history into account like some of those tools do (and we shouldn't, that's not what biome is for). I think this rule will at least be good for picking out the most egregious cases, with the added benefit that adding the rule to their existing config is easier than adding a new tool to their chain. We could also consider pointing users to a dedicated tool in the diagnostic message and rule documentation. Gitleaks seems to be the most mature. |
To add to what @dyc3 said, in my opinion Biome likely isn't a right tool to fully replace full repo secret scanning. Biome does not support all the languages which those tools do and need to be a proper security solution, we have stricter perf constraints and so on. Having this rule in Biome does help development velocity, no need to wait for CI, and majority of users who wouldn't think about secrets get a warning for common cases, though we definitely should document about full solutions in case users need those. As for integrations listed: |
No. Turbopack had a whole zig helper library to interop between rust and golang while they were porting the project to rust. Definitely not worth the complexity. |
I agree! There are some features which would make us feature-parity with eslint no-secrets, I've updated the description with a legend to reflect that.
Definitely going to do this!
I can port some code then 🤠 Or maybe ask their team to make a crate/API for reusability.
Yikes. |
We usually add options only when required or requested, and when there are valid use cases to cover. Not sure there's enough value to add yet another dependency for this rule. Sure, it's an important rule, but as the others said, we don't cover all languages. Our documentation could actually propose alternatives to the users. |
I totally agree with others. The rule should find the most obvious secret leaks and avoid false positives because users might get annoyed and turn off the rule (that defeat its purpose). We could add a disclaimer in the rule description saying that and point to relevant tools (as the one you cited) for advanced secret leak detections. |
Tackles #4113 and #3861
Research
Ever since the creation of this biome plugin originally, I've found various other secret scanning solutions:
I've been wondering; Can we consume either one of the above to use in our usecase? Do we really need to add another to the ecosystem?
This I'd like to ask the authors here.
In the meanwhile...
Fixes
New features planned
Legend:
FP = Feature-Parity with eslint no-secrets (features listed here)
I would love to hear strategies on how to achieve this.