StepSecurity's Orchestration platform serves as your GitHub repository's gatekeeper, identifying missing security tools and suggesting CI/CD Security best practices tailored to your project's needs. And the best part - we facilitate this through a pull request.
We are thrilled to announce a new addition to our catalog of security best practices – pre-commit hooks for secret scanning and linting.
A pre-commit hook runs before the code has been pushed, which means before the CI pipeline runs. Catching linting issues before the CI pipeline helps save time and reduces the feedback loop. From a security perspective running a secret scanner as a pre-commit hook is invaluable. This is because the cost of dealing with a secret that has been pushed to a repository is much higher than if it is caught pre-commit.
Our platform analyzes your repository and, based on the languages used, suggests a set of linters and a secret scanning tool to be added as pre-commit hooks. We leverage the popular pre-commit framework to enable these hooks. If your repository does not already have a pre-commit configuration file, our platform recommends adding it via a pull request. If you already have the pre-commit configuration file, we suggest updates to it based on missing linters/ secret scanning tool.
As of now, we orchestrate popular linters and the open-source secret scanner gitleaks in the pre-commit hook, and in the future, we will give more options to users, both for the secret scanner and the linters.
We released this feature a few days back and it has already been added via pull requests to a few repositories and the feedback has been great so far. Here is a PR in a Kubernetes repository that added gitleaks and other linters as pre-commit hooks. Check out this comment about getting a pre-commit hook configuration as part of StepSecurity’s pull request.
To try out the new feature on a public repository, head over to https://app.stepsecurity.io/securerepo and if you want to consistently orchestrate secret scanners and linters as pre-commit hooks in your enterprise repositories, reach out to us via our contact form.