Merge pull request #645 from langflow-ai/secret-detection

Add Secret detection

.pre-commit-config.yaml

@@ -0,0 +1,7 @@
+repos:
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v1.5.0
+    hooks:
+      - id: detect-secrets
+        args: ["--baseline", ".secrets.baseline", "--exclude-lines", "code_hash"]
+

.secrets.baseline

@@ -0,0 +1,180 @@
+{
+  "version": "1.5.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "GitLabTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "IPPublicDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "OpenAIDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "PypiTokenDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TelegramBotTokenDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".secrets.baseline"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    },
+    {
+      "path": "detect_secrets.filters.regex.should_exclude_file",
+      "pattern": [
+        "flows/.*\\.json$"
+      ]
+    },
+    {
+      "path": "detect_secrets.filters.regex.should_exclude_line",
+      "pattern": [
+        "code_hash"
+      ]
+    }
+  ],
+  "results": {
+    "docs/docs/_partial-integrate-chat.mdx": [
+      {
+        "type": "Secret Keyword",
+        "filename": "docs/docs/_partial-integrate-chat.mdx",
+        "hashed_secret": "e42fd8b9ad15d8fa5f4718cad7cf19b522807996",
+        "is_verified": false,
+        "line_number": 30
+      }
+    ],
+    "src/main.py": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "src/main.py",
+        "hashed_secret": "131a83e9ef8660d7dd0771da7ce5954d9ea801ee",
+        "is_verified": false,
+        "line_number": 404
+      }
+    ],
+    "src/models/processors.py": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "src/models/processors.py",
+        "hashed_secret": "131a83e9ef8660d7dd0771da7ce5954d9ea801ee",
+        "is_verified": false,
+        "line_number": 763
+      }
+    ],
+    "src/services/langflow_file_service.py": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "src/services/langflow_file_service.py",
+        "hashed_secret": "131a83e9ef8660d7dd0771da7ce5954d9ea801ee",
+        "is_verified": false,
+        "line_number": 97
+      }
+    ]
+  },
+  "generated_at": "2025-12-09T20:33:13Z"
+}

src/connectors/onedrive/connector.py

@@ -15,7 +15,7 @@ class OneDriveConnector(BaseConnector):
 
     # Required BaseConnector class attributes
     CLIENT_ID_ENV_VAR = "MICROSOFT_GRAPH_OAUTH_CLIENT_ID"
-    CLIENT_SECRET_ENV_VAR = "MICROSOFT_GRAPH_OAUTH_CLIENT_SECRET"
+    CLIENT_SECRET_ENV_VAR = "MICROSOFT_GRAPH_OAUTH_CLIENT_SECRET"  # pragma: allowlist secret
 
     # Connector metadata
     CONNECTOR_NAME = "OneDrive"

src/connectors/sharepoint/connector.py

@@ -16,7 +16,7 @@ class SharePointConnector(BaseConnector):
 
     # Required BaseConnector class attributes
     CLIENT_ID_ENV_VAR = "MICROSOFT_GRAPH_OAUTH_CLIENT_ID"
-    CLIENT_SECRET_ENV_VAR = "MICROSOFT_GRAPH_OAUTH_CLIENT_SECRET"
+    CLIENT_SECRET_ENV_VAR = "MICROSOFT_GRAPH_OAUTH_CLIENT_SECRET"  # pragma: allowlist secret
     
     # Connector metadata
     CONNECTOR_NAME = "SharePoint"

src/tui/managers/env_manager.py

@@ -123,28 +123,29 @@ class EnvManager:
         import os
         
         # Map env vars to config attributes
-        attr_map = {
-            "OPENAI_API_KEY": "openai_api_key",
-            "ANTHROPIC_API_KEY": "anthropic_api_key",
+        # These are environment variable names, not actual secrets
+        attr_map = {  # pragma: allowlist secret
+            "OPENAI_API_KEY": "openai_api_key",  # pragma: allowlist secret
+            "ANTHROPIC_API_KEY": "anthropic_api_key",  # pragma: allowlist secret
             "OLLAMA_ENDPOINT": "ollama_endpoint",
-            "WATSONX_API_KEY": "watsonx_api_key",
+            "WATSONX_API_KEY": "watsonx_api_key",  # pragma: allowlist secret
             "WATSONX_ENDPOINT": "watsonx_endpoint",
             "WATSONX_PROJECT_ID": "watsonx_project_id",
-            "OPENSEARCH_PASSWORD": "opensearch_password",
-            "LANGFLOW_SECRET_KEY": "langflow_secret_key",
+            "OPENSEARCH_PASSWORD": "opensearch_password",  # pragma: allowlist secret
+            "LANGFLOW_SECRET_KEY": "langflow_secret_key",  # pragma: allowlist secret
             "LANGFLOW_SUPERUSER": "langflow_superuser",
-            "LANGFLOW_SUPERUSER_PASSWORD": "langflow_superuser_password",
+            "LANGFLOW_SUPERUSER_PASSWORD": "langflow_superuser_password",  # pragma: allowlist secret
             "LANGFLOW_CHAT_FLOW_ID": "langflow_chat_flow_id",
             "LANGFLOW_INGEST_FLOW_ID": "langflow_ingest_flow_id",
             "LANGFLOW_URL_INGEST_FLOW_ID": "langflow_url_ingest_flow_id",
             "NUDGES_FLOW_ID": "nudges_flow_id",
             "GOOGLE_OAUTH_CLIENT_ID": "google_oauth_client_id",
-            "GOOGLE_OAUTH_CLIENT_SECRET": "google_oauth_client_secret",
+            "GOOGLE_OAUTH_CLIENT_SECRET": "google_oauth_client_secret",  # pragma: allowlist secret
             "MICROSOFT_GRAPH_OAUTH_CLIENT_ID": "microsoft_graph_oauth_client_id",
-            "MICROSOFT_GRAPH_OAUTH_CLIENT_SECRET": "microsoft_graph_oauth_client_secret",
+            "MICROSOFT_GRAPH_OAUTH_CLIENT_SECRET": "microsoft_graph_oauth_client_secret",  # pragma: allowlist secret
             "WEBHOOK_BASE_URL": "webhook_base_url",
             "AWS_ACCESS_KEY_ID": "aws_access_key_id",
-            "AWS_SECRET_ACCESS_KEY": "aws_secret_access_key",
+            "AWS_SECRET_ACCESS_KEY": "aws_secret_access_key",  # pragma: allowlist secret
             "LANGFLOW_PUBLIC_URL": "langflow_public_url",
             "OPENRAG_DOCUMENTS_PATHS": "openrag_documents_paths",
             "OPENSEARCH_DATA_PATH": "opensearch_data_path",