security/py-detect-secrets: Add py-detect-secrets 1.4.0

detect-secrets is an aptly named module for (surprise, surprise) detecting
secrets within a code base.

However, unlike other similar packages that solely focus on finding secrets,
this package is designed with the enterprise client in mind: providing a
backwards compatible, systematic means of:
 1. Preventing new secrets from entering the code base,
 2. Detecting if such preventions are explicitly bypassed, and
 3. Providing a checklist of secrets to roll, and migrate off to a more secure
    storage.

This way, you create a separation of concern: accepting that there may currently
be secrets hiding in your large repository (this is what we refer to as a
baseline), but preventing this issue from getting any larger, without dealing
with the potentially gargantuan effort of moving existing secrets away.

It does this by running periodic diff outputs against heuristically crafted
regex statements, to identify whether any new secret has been committed. This
way, it avoids the overhead of digging through all git history, as well as the
need to scan the entire repository every time.

4 files changed, 47 insertions, 0 deletions

diff --git a/security/Makefile b/security/Makefile
index d277abd90f4d..a45a92d6d43a 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -883,6 +883,7 @@
     SUBDIR += py-cryptography-vectors
     SUBDIR += py-ctypescrypto
     SUBDIR += py-cybox
+    SUBDIR += py-detect-secrets
     SUBDIR += py-dfdatetime
     SUBDIR += py-dfvfs
     SUBDIR += py-dfwinreg
diff --git a/security/py-detect-secrets/Makefile b/security/py-detect-secrets/Makefile
new file mode 100644
index 000000000000..73cc35efb8e3
--- /dev/null
+++ b/security/py-detect-secrets/Makefile
@@ -0,0 +1,23 @@
+PORTNAME=	detect-secrets
+PORTVERSION=	1.4.0
+CATEGORIES=	security python
+MASTER_SITES=	PYPI
+PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
+DISTNAME=	detect_secrets-${PORTVERSION}
+
+MAINTAINER=	sunpoet@FreeBSD.org
+COMMENT=	Tool for detecting secrets in the codebase
+WWW=		https://github.com/Yelp/detect-secrets
+
+LICENSE=	APACHE20
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+RUN_DEPENDS=	${PYTHON_PKGNAMEPREFIX}yaml>=0:devel/py-yaml@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}requests>=0:www/py-requests@${PY_FLAVOR}
+
+USES=		python:3.7+
+USE_PYTHON=	autoplist concurrent distutils
+
+NO_ARCH=	yes
+
+.include <bsd.port.mk>
diff --git a/security/py-detect-secrets/distinfo b/security/py-detect-secrets/distinfo
new file mode 100644
index 000000000000..bb19926aafda
--- /dev/null
+++ b/security/py-detect-secrets/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1679498504
+SHA256 (detect_secrets-1.4.0.tar.gz) = d56787e339758cef48c9ccd6692f7a094b9963c979c9813580b0169e41132833
+SIZE (detect_secrets-1.4.0.tar.gz) = 94954
diff --git a/security/py-detect-secrets/pkg-descr b/security/py-detect-secrets/pkg-descr
new file mode 100644
index 000000000000..4d4944d57bba
--- /dev/null
+++ b/security/py-detect-secrets/pkg-descr
@@ -0,0 +1,20 @@
+detect-secrets is an aptly named module for (surprise, surprise) detecting
+secrets within a code base.
+
+However, unlike other similar packages that solely focus on finding secrets,
+this package is designed with the enterprise client in mind: providing a
+backwards compatible, systematic means of:
+ 1. Preventing new secrets from entering the code base,
+ 2. Detecting if such preventions are explicitly bypassed, and
+ 3. Providing a checklist of secrets to roll, and migrate off to a more secure
+    storage.
+
+This way, you create a separation of concern: accepting that there may currently
+be secrets hiding in your large repository (this is what we refer to as a
+baseline), but preventing this issue from getting any larger, without dealing
+with the potentially gargantuan effort of moving existing secrets away.
+
+It does this by running periodic diff outputs against heuristically crafted
+regex statements, to identify whether any new secret has been committed. This
+way, it avoids the overhead of digging through all git history, as well as the
+need to scan the entire repository every time.