Use ggshield for local secret scanning (#1585)

truera · Oct 25, 2024 · 3545b5f · 3545b5f
1 parent 94e8a15
commit 3545b5f
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
@@ -86,6 +86,27 @@ pre-commit install
 
 For more information on pre-commit, see [pre-commit.com](https://pre-commit.com/).
 
+## Install ggshield
+
+TruLens developers use ggshield to scan for secrets locally in addition to gitguardian in CLI. Install and authenticate to ggshield with the following commands:
+
+```bash
+brew install gitguardian/tap/ggshield
+ggshield auth login
+```
+
+Then, ggshield can be run with the following command from trulens root directory to scan the full repository:
+
+```bash
+ggshield secret scan repo ./
+```
+
+It can also be run with smaller scope, such as only for docs with the following as included in `make docs-upload`
+
+```bash
+ggshield secret scan repo ./docs/
+```
+
 ## Helpful commands
 
 ### Formatting

diff --git a/Makefile b/Makefile
@@ -110,6 +110,7 @@ docs-serve-dirty: env-docs
 	poetry run mkdocs serve --dirty -a 127.0.0.1:8000
 
 docs-upload: env-docs $(shell find docs -type f) mkdocs.yml
+	poetry run ggshield secret scan repo ./docs
 	poetry run mkdocs gh-deploy
 
 # Check that links in the documentation are valid. Requires the lychee tool.