#gitops (2021-07)

Discuss continuous delivery of infrastructure Archive: https://archive.sweetops.com/gitops/

2021-07-22

2021-07-21

Mazin Ahmed avatar
Mazin Ahmed

Question: How do you use Git pre-hooks for identifying secrets on organization-level? I’m looking for ideas to detect sensitive commits before it’s committed and pushed to Github. Any ideas how would you approach this on org level?

sheldonh avatar
sheldonh

@ Right now I’m just using lefthook and setting up a gitleaks hook to run on precommit and pre-push. It’s not perfect. I’ve not centralized anything. You can use plugins in whatever CI tool you use to do more widescale work, but for now it’s a way I’ve taken to get a small step towards quick code checks and pushing folks away from even dev certs and keys in the repos

1
1
Mazin Ahmed avatar
Mazin Ahmed

Thank you!

Mohammed Yahya avatar
Mohammed Yahya

you need a solid dev workflow runbook, make sure you automate everything with brew or chocolatey its all about setting up developers machine, for me I would move over by offloading all of these checks into CI instead of developers machines.

sheldonh avatar
sheldonh

@ for the sake of discussion, I don’t look at this as shifting from dev to CI checks. I’d rather “shift left” by having the same checks on the devs that CI runs. This improves the feedback cycle dramatically.

Brew and choco is for dev machine setup, and yes the task init i use leverages those for apps needed if required.

Love automation!

Mohammed Yahya avatar
Mohammed Yahya

I totally agree with you, been there, found lot of developers dose not care about pre-checks or what so ever, so you force everything with CI and PR reviews.

sheldonh avatar
sheldonh

@ that’s why I use task init or equivalent in the setup of the project and it self-registers all the hooks and linting tools. Then CI does the exact same thing as manual run.

this means immediate feedback loop before I even open PR having resolved all linting and test failures before it even gets to this point. IMO that quick feedback loop is key to a good trunk based dev workflow and making PR’s less intrusive.

1
    keyboard_arrow_up