From 3545b5f5b8f45c216c972f5a3d061427948d70ff Mon Sep 17 00:00:00 2001
From: Josh Reini <josh.reini@snowflake.com>
Date: Thu, 24 Oct 2024 23:11:33 -0400
Subject: [PATCH] Use ggshield for local secret scanning (#1585)

---
 DEVELOPMENT.md | 21 +++++++++++++++++++++
 Makefile       |  1 +
 2 files changed, 22 insertions(+)

diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
index c08b3a52e..3e21f5e73 100644
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@@ -86,6 +86,27 @@ pre-commit install
 
 For more information on pre-commit, see [pre-commit.com](https://pre-commit.com/).
 
+## Install ggshield
+
+TruLens developers use ggshield to scan for secrets locally in addition to gitguardian in CLI. Install and authenticate to ggshield with the following commands:
+
+```bash
+brew install gitguardian/tap/ggshield
+ggshield auth login
+```
+
+Then, ggshield can be run with the following command from trulens root directory to scan the full repository:
+
+```bash
+ggshield secret scan repo ./
+```
+
+It can also be run with smaller scope, such as only for docs with the following as included in `make docs-upload`
+
+```bash
+ggshield secret scan repo ./docs/
+```
+
 ## Helpful commands
 
 ### Formatting
diff --git a/Makefile b/Makefile
index d14de0720..40a898f26 100644
--- a/Makefile
+++ b/Makefile
@@ -110,6 +110,7 @@ docs-serve-dirty: env-docs
 	poetry run mkdocs serve --dirty -a 127.0.0.1:8000
 
 docs-upload: env-docs $(shell find docs -type f) mkdocs.yml
+	poetry run ggshield secret scan repo ./docs
 	poetry run mkdocs gh-deploy
 
 # Check that links in the documentation are valid. Requires the lychee tool.