From d40ab1777029da52b2dcb7d3469a90c6afe6c661 Mon Sep 17 00:00:00 2001
From: Kenneth Kehl <terrazoon@gmail.com>
Date: Thu, 29 May 2025 11:13:36 -0700
Subject: [PATCH 1/4] Update Makefile

Co-authored-by: ccostino <ccostino@users.noreply.github.com>
---
 Makefile | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index 138c95e78..2a949c67e 100644
--- a/Makefile
+++ b/Makefile
@@ -28,10 +28,7 @@ bootstrap: ## Set up everything to run the app
 .PHONY: bootstrap-with-git-hooks
 bootstrap-with-git-hooks:  ## Sets everything up and accounts for pre-existing git hooks
 	make generate-version-file
-	rm poetry.lock
-	poetry lock
-	poetry install --no-root
-	poetry sync
+	poetry sync --no-root
 	git config --global --unset-all core.hooksPath
 	poetry run pre-commit install
 	git config --global core.hookspath "${GIT_HOOKS_PATH}"

From 222e258e349689c57ad166338008ed825103db2f Mon Sep 17 00:00:00 2001
From: Kenneth Kehl <terrazoon@gmail.com>
Date: Thu, 29 May 2025 11:14:00 -0700
Subject: [PATCH 2/4] Update Makefile

Co-authored-by: ccostino <ccostino@users.noreply.github.com>
---
 Makefile | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index 2a949c67e..5432c8321 100644
--- a/Makefile
+++ b/Makefile
@@ -16,10 +16,7 @@ GIT_HOOKS_PATH ?= $(shell git config --global core.hooksPath || echo "")
 .PHONY: bootstrap
 bootstrap: ## Set up everything to run the app
 	make generate-version-file
-	rm poetry.lock
-	poetry lock
-	poetry install --no-root
-	poetry sync
+	poetry sync --no-root
 	poetry run pre-commit install
 	createdb notification_api || true
 	createdb test_notification_api || true

From e5484f0723398defc997ecc5b9e59d3f00381d8d Mon Sep 17 00:00:00 2001
From: Kenneth Kehl <terrazoon@gmail.com>
Date: Thu, 29 May 2025 11:14:29 -0700
Subject: [PATCH 3/4] Update Makefile

Co-authored-by: ccostino <ccostino@users.noreply.github.com>
---
 Makefile | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/Makefile b/Makefile
index 5432c8321..fcbc47943 100644
--- a/Makefile
+++ b/Makefile
@@ -110,12 +110,8 @@ test: ## Run tests and create coverage report
 
 .PHONY: py-lock
 py-lock: ## Syncs dependencies and updates lock file without performing recursive internal updates
-
-	rm poetry.lock
-
+	poetry sync --no-root
 	poetry lock
-	poetry install
-	poetry sync
 
 .PHONY: freeze-requirements
 freeze-requirements: ## Pin all requirements including sub dependencies into requirements.txt

From 0a28b33e99186970d30f9e41260a4a12e3d15a33 Mon Sep 17 00:00:00 2001
From: Carlo Costino <carlo.costino@gsa.gov>
Date: Fri, 30 May 2025 11:39:07 -0400
Subject: [PATCH 4/4] Add detect-secrets documentation

This changeset adds documentation to help our team manage our secrets detection with the detect-secrets pre-commit plugin.

Signed-off-by: Carlo Costino <carlo.costino@gsa.gov>
---
 README.md   |  2 ++
 docs/all.md | 12 ++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/README.md b/README.md
index a8a39ebf9..5941600a5 100644
--- a/README.md
+++ b/README.md
@@ -462,6 +462,8 @@ instructions above for more details.
   - [Onboarding](./docs/all.md#onboarding)
   - [Setting up the infrastructure](./docs/all.md#setting-up-the-infrastructure)
 - [Using the logs](./docs/all.md#using-the-logs)
+- [`git` hooks](./docs/all.md#git-hooks)
+  - [detect-secrets pre-commit plugin](./docs/all.md#detect-secrets-pre-commit-plugin)
 - [Testing](./docs/all.md#testing)
   - [CI testing](./docs/all.md#ci-testing)
   - [Manual testing](./docs/all.md#manual-testing)
diff --git a/docs/all.md b/docs/all.md
index d828671ab..5963dd684 100644
--- a/docs/all.md
+++ b/docs/all.md
@@ -7,6 +7,7 @@
   - [Setting up the infrastructure](#setting-up-the-infrastructure)
 - [Using the logs](#using-the-logs)
 - [`git` hooks](#git-hooks)
+  - [detect-secrets pre-commit plugin](#detect-secrets-pre-commit-plugin)
 - [Testing](#testing)
   - [CI testing](#ci-testing)
   - [Manual testing](#manual-testing)
@@ -262,6 +263,17 @@ The configuration is stored in `.pre-commit-config.yaml`. In that config, there
 
 We do not maintain any hooks in this repository.
 
+## detect-secrets pre-commit plugin
+
+One of the pre-commit hooks we use is [`detect-secrets`](https://github.com/Yelp/detect-secrets), which checks for all sorts of things that might be committed accidently that should not be.  The project is already set up with a baseline file (`.ds.baseline`) and this should just work out of the box, but occasionally it will flag something new when you try and commit something; or, the file may need a refresh after a while.  In either case, to get things back on track and update the `.ds.baseline` file, run these two commands:
+
+```sh
+detect-secrets scan --baseline .ds.baseline
+detect-secrets audit .ds.baseline
+```
+
+The second command will walk you through all of the new detected secrets and ask you to validate if they actually are or if they're false positives.  Mark off each one as apppropriate (they should all be false positives - if they're not please stop and check in with the team!), then commit the updates to the `.ds.baseline` file and push them remotely so the project stays up-to-date.
+
 # Testing
 
 ```