From 41ec7e6d91b5078bdab6f3dd6781ab4b182877d3 Mon Sep 17 00:00:00 2001 From: ildesenesence <31672538+ildesenesence@users.noreply.github.com> Date: Fri, 20 Sep 2024 14:24:46 -0500 Subject: [PATCH] PLT-639: Adding gitleaks MBI scanning & updating gitleaks pre-commit version (#185) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## 🎫 Ticket https://jira.cms.gov/browse/PLT-639 ## 🛠 Changes Gitleaks custom config extension was added (.gitleaks.toml) allowing for a regex-based MBI filter to be run against new commits, and the gitleaks pre-commit version was updated to 8.19.x which doesn't affect us at this time. ## ℹ️ Context Bulk API Platform Team has an ongoing goal of improving security and safeguarding PHI/PII for our members, to that end we are applying a belt-and-suspenders approach to preventing leakage of data (such as Medicare Beneficiary Identifiers) in github. ## Validation These changes were tested locally and automatically as they make modifications to the pre-commit functionality, and were initially tested and validated against a pregenerated file with MBI data in PLT-532. --- .github/workflows/ci-workflow.yml | 4 ++-- .gitleaks.toml | 9 +++++++++ .pre-commit-config.yaml | 4 ++-- 3 files changed, 13 insertions(+), 4 deletions(-) create mode 100644 .gitleaks.toml diff --git a/.github/workflows/ci-workflow.yml b/.github/workflows/ci-workflow.yml index e924c4a2..47884258 100644 --- a/.github/workflows/ci-workflow.yml +++ b/.github/workflows/ci-workflow.yml @@ -32,7 +32,7 @@ jobs: run: | make test - name: Archive code coverage results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: code-coverage-report path: ./test_results/latest/testcoverage.out @@ -46,7 +46,7 @@ jobs: ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: "true" steps: - name: Download code coverage - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: code-coverage-report - name: Set env vars from AWS params diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 00000000..5cbcbcf6 --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,9 @@ +title = "DASG Standard" + +[extend] + useDefault = true + +[[rules]] + id = "mbi-detection" + description = "Detects a potential MBI pattern based on https://www.cms.gov/medicare/new-medicare-card/understanding-the-mbi.pdf" + regex = '''\b((?i)[1-9][ACDEFGHJKMNPQRTUVWXY][ACDEFGHJKMNPQRTUVWXY\d]-?\d[ACDEFGHJKMNPQRTUVWXY][ACDEFGHJKMNPQRTUVWXY\d]\d-?[ACDEFGHJKMNPQRTUVWXY]{2}\d{2})\b''' diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 443fe20f..1d3562ae 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,10 +1,10 @@ repos: - repo: https://github.com/gitleaks/gitleaks - rev: v8.16.1 + rev: v8.19.2 hooks: - id: gitleaks - repo: https://github.com/tekwizely/pre-commit-golang - rev: master + rev: v1.0.0-rc.1 hooks: - id: go-imports args: ['-w']