Rule manipulation

August 29, 2018 ยท View on GitHub

Providing your own rules

You can simply call secret-shield with --config path/to/rules.json to load rules from your own configuration file instead of the default one.

You can learn how to write your own rules here.

Changing the default rules

The default rules governing the search are located in config/defaultRules and are, by default, minimal. You can change the ruleset and that will change the default rules used by secret-shield, including the pre-commit hook rules.

Note: config/defaultRules must correctly resolve to a rule file in config/rules/, and must be a single line only. For example, to select a minimal ruleset, the entire file config/defaultRules will be (with no empty line):

minimal

Alternate ruleset

Some alternate rulesets are provided and can be used with the <--config|-C> <ruleset>.

rulesetdescription
minimal (default)a minimal set of rules that has virtually no false positives.
deepa ruleset that gives some false positives but finds more secrets.
verydeepprovides additional rules that can be noisy (many false positives) but searches even more deeply.

You can add your own rulesets to ./config/rules/ and then you can call them directly without having to specify the path to the rule JSON. For example, --config deep will automatically load the deep.json file.

Enabling and disabling rules on the fly

When manually searching, you can call secret-shield with --enable [rules] or --disable [rules] (alternatively -y and -n) to temporarily enable or disable those rules (if they're already defined in the configuration file). For example:

secret-shield --disable "High-entropy string" "AWS Client ID" --enable "Don't commit message" --repo myrepository

If these options are not given, the rules are left at their default state (usually enabled, but there's the occasional rule that's disabled by default).