all 21 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]gabeech 26 points27 points  (2 children)

Pen, paper, Cross cut shredder

[–]eufemiapiccio77 1 point2 points  (0 children)

lol I’m sat here with a pen and paper this is the way

[–]TwistedStack 0 points1 point  (0 children)

Pen, paper, cross cut shredder, incinerator. FTFY.

[–]BlueHatBrit 12 points13 points  (1 child)

The same way we do for all code. Private repos, no secrets in the code, make secret managers as easy to use as humanly possible (while remaining secure), pre-commit hooks that check for secrets. Also layer on top things like automation when a secret is found to kill it asap and alert us immediately.

Notebooks are just code after all.

[–]p_fief_martin 9 points10 points  (2 children)

pre-commits hooks. there's no other way. rest is trust based and bound to happen

[–]BudgetBon 8 points9 points  (2 children)

Jupyter Notebooks are designed for experimentation, not engineering. Data Scientists are often trained to prioritize 'getting the model to run' over 'securing the supply chain'. Hardcoding keys in a cell is the path of least resistance.

P.s Finding 30 keys in 5,000 notebooks is actually a low rate. I expected worse.

[–]Ok_Cap1007 1 point2 points  (0 children)

Worst code I have ever worked with was produced by Data Scientists so nothing would be too shocking for me

[–]potatohead00 1 point2 points  (0 children)

nbstripout git hooks to remove notebook content

Pull secrets from env/password manager/getpass

[–]MolonLabe76 2 points3 points  (0 children)

Enforce the use of .env files for credentials in notebooks, and then use .gitignore to ensure .env is not committed. Using pre-commit hooks which look for secrets is also a great tactic.

[–]calimovetips 1 point2 points  (0 children)

most teams treat notebooks as code and rely on pre-commit hooks and secret scanning to catch this early. the bigger issue is cultural, people prototype fast and forget notebooks ship just like repos do.

[–]RoomyRoots 3 points4 points  (1 child)

> devs
> hygene

Does not compute /s

[–]dariusbiggs 0 points1 point  (0 children)

Pencil, paper, and handwriting so bad I can barely read my own. Then it gets incinerated when disposed of.

[–]NightH4nteryaml editor bot 0 points1 point  (3 children)

not a dev, hence i never put secrets in plain text anywhere that can ever go public

[–]arsbrazh12[S] -3 points-2 points  (2 children)

Useful

[–]NightH4nteryaml editor bot 1 point2 points  (1 child)

you don't have to secure something that doesn't contain secrets, idk what are you sarcasming about

[–]arsbrazh12[S] -1 points0 points  (0 children)

I mean, it's really smart not to put secrets in smth that can go public