NASA-AMMOS/slim#89: Functional GitHub Actions-based secrets detection…

…. ...
NASA-AMMOS · Mar 15, 2024 · ff17105 · ff17105
1 parent 82f07b9
commit ff17105
Show file tree

Hide file tree

Showing 3 changed files with 113 additions and 0 deletions.
diff --git a/.github/workflows/secrets-detection.yml b/.github/workflows/secrets-detection.yml
@@ -0,0 +1,97 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to exclude files from analyses. (See "Scan" 
+# configuration block below.)
+#
+# For more information, see:
+#     https://nasa-ammos.github.io/slim/docs/guides/software-lifecycle/security/secrets-detection
+#
+# ******** NOTE ********
+# Detect Secrets will compare known values from the ".secrets.baseline" file 
+# located in the root of the repository. Should any false detections occur, 
+# this file should be committed locally with an exception added to .gitignore 
+# to prevent inadvertent modification or overwrite. 
+#
+name: "Secret Detection"
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [develop]
+
+jobs:
+  secret-detection:
+    name: Secret-Detection
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: read
+      security-events: write
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Upgrade tooling
+      run: |
+        python3 -m pip install --upgrade pip
+        pip install --upgrade git+https://github.com/NASA-AMMOS/slim-detect-secrets.git@exp
+        pip install --upgrade jq
+    - name: Create baseline config
+      run: |
+        if [ ! -f .secrets.baseline ] ; 
+        then
+            # This generated baseline file will only be temporarily available on the GitHub side and will not appear in the user's local files.
+            # Scanning an empty folder to generate an initial .secrets.baseline without secrets in the results.
+            echo "⚠️ No existing .secrets.baseline file detected. Creating a new blank baseline file."
+            mkdir empty-dir
+            detect-secrets scan empty-dir > .secrets.baseline
+            echo "✅ Blank .secrets.baseline file created successfully."
+            rm -r empty-dir
+        else
+            echo "✅ Existing .secrets.baseline file detected. No new baseline file will be created."
+        fi
+    - name: Scan
+      run: |
+        # scripts scan repository for new secrets
+        # backup list of known secrets
+        cp -pr .secrets.baseline .secrets.new
+        # find secrets in the repository
+        detect-secrets scan --disable-plugin AbsolutePathDetectorExperimental --baseline .secrets.new \
+            --exclude-files '\.secrets..*' \
+            --exclude-files '\.git.*' \
+            --exclude-files '\.mypy_cache' \
+            --exclude-files '\.pytest_cache' \
+            --exclude-files '\.tox' \
+            --exclude-files '\.venv' \
+            --exclude-files 'venv' \
+            --exclude-files 'dist' \
+            --exclude-files 'build' \
+            --exclude-files '.*\.egg-info'
+        # break build when new secrets discovered
+        # function compares baseline/new secrets w/o listing results -- success(0) when new secret found
+        compare_secrets() { diff <(jq -r '.results | keys[] as $key | "\($key),\(.[$key] | .[] | .hashed_secret)"' "${1}" | sort) <(jq -r '.results | keys[] as $key | "\($key),\(.[$key] | .[] | .hashed_secret)"' "${2}" | sort) | grep -q '>' ; }
+        # test baseline versus new secret files
+        if compare_secrets .secrets.baseline .secrets.new; 
+        then
+            echo "⚠️ Attention Required! ⚠️" >&2
+            echo "New secrets have been detected in your recent commit. Due to security concerns, we cannot display detailed information here and we cannot proceed until this issue is resolved." >&2
+            echo "" >&2
+            echo "Please follow the steps below on your local machine to reveal and handle the secrets:" >&2
+            echo "" >&2
+            echo "1️⃣ Run the 'detect-secrets' tool on your local machine. This tool will identify and clean up the secrets. You can find detailed instructions at this link: https://nasa-ammos.github.io/slim/continuous-testing/starter-kits/#detect-secrets" >&2
+            echo "" >&2
+            echo "2️⃣ After cleaning up the secrets, commit your changes and re-push your update to the repository." >&2
+            echo "" >&2
+            echo "Your efforts to maintain the security of our codebase are greatly appreciated!" >&2
+            exit 1
+        else
+            echo "🟢 Secrets tests PASSED! 🟢" >&1
+            echo "No new secrets were detected in comparison to any baseline configurations."  >&1
+            exit 0
+        fi 
diff --git a/.gitignore b/.gitignore
@@ -51,6 +51,7 @@ coverage.xml
 *.py,cover
 .hypothesis/
 .pytest_cache/
+.secrets*
 
 # Translations
 *.mo

diff --git a/.secrets.baseline b/.secrets.baseline
@@ -0,0 +1,15 @@
+{
+  "version": "1.4.0",
+  "results": {
+    "setup.cfg": [
+      {
+        "type": "Email Address",
+        "filename": "setup.cfg",
+        "hashed_secret": "3d5f1cb1412e27257b118b0fbf9dcccf390be6cb",
+        "is_verified": false,
+        "line_number": 31
+      }
+    ]
+  },
+  "generated_at": "2024-03-14T20:03:34Z"
+}