+
+#### Layer 2: Git Commit Scan (Client-side)
+The second layer is a pre-commit hook implemented in the local environment. This hook utilizes a pre-configured `.pre-commit-config.yaml` file, which contains a baseline file for secret comparison. If any new secrets are detected during the commit process, the hook prevents the commit from being created. This acts as a safety net, ensuring no new secrets are accidentally committed. Detailed documentation for Layer 2
+```mermaid
+sequenceDiagram
+ participant User as Developer
+ participant Local as Local Environment
+ participant Config as .pre-commit-config.yaml
+ participant PCH as Pre-commit Hook
+ participant DS as Detect-Secrets
+ participant File as Baseline File
+
+ Note over User,Local: Developer attempts to commit
+ User->>+Local: Request commit
+ Local->>+Config: Fetches pre-commit config
+ Config->>PCH: Returns config with Detect-Secrets setup
+ PCH->>DS: Request secret scan with existing baseline
+ DS->>File: Fetches baseline file
+ File->>DS: Returns baseline file
+ DS->>DS: Scans changes for secrets with custom plugins
+ alt New Secrets Detected
+ DS-->>PCH: Returns detected secrets
+ PCH-->>Local: Prevents commit & reports detected secrets
+ Local-->>User: Prevents commit & reports detected secrets
+ else No New Secrets Detected
+ DS-->>PCH: Returns clean result
+ PCH-->>Local: Allows commit
+ Local-->>User: Commits changes
+ end
+
+```
+Starter Kit:
+1. Install [pre-commit](https://pre-commit.com/#install)
+```bash
+pip install pre-commit
+```
+2. [Install our additional configurations (same as layer 1)](#2-install-our-additional-configurations)
+3. Install pre-commit hook
+```bash
+pre-commit install
+```
+> This command will install a pre-commit hook in your local git repository based on the configurations in `.pre-commit-config.yaml` file.
+4. Commit your changes
+
+ Now, you can commit your changes as usual. If any new secrets are detected, the commit will be prevented and the secrets will be reported.
+
+ For example,
+
+ 
+
+
+> **Note**: pre-commit hook block commit by comparing new secrets with the results in `.secrets.baseline` file. If you want to add new secret results, you need to update `.secrets.baseline` file by re-running the scan command and generate a new baseline file.
+>
+> You can create an empty baseline file by running this command at a directory without secrets.
+
+#### Layer 3: Server-side Push to GitHub.com
+The final layer of our solution is a server-side pre-commit scan powered by `pre-commit.ci`. This scan is triggered whenever a developer pushes to a branch or creates a pull request. It uses the same `.pre-commit-config.yaml` file as Layer 2, ensuring consistency between local and server-side checks. If the scan detects any new secrets, it returns a status check. If the target branch is protected, GitHub uses this status check to decide whether the merge or push can proceed. Detailed documentation for Layer 3
+
+This multi-layered approach to secret scanning provides a robust and comprehensive secret detection system, reducing the risk of exposing sensitive information in your codebase. For a more in-depth explanation of each layer, please refer to the respective detailed documentation links.
+
+```mermaid
+sequenceDiagram
+ participant User as Developer
+ participant GH as GitHub
+ participant Config as .pre-commit-config.yaml
+ participant CI as pre-commit CI
+ participant DS as Detect-Secrets
+
+ Note over User,GH: Developer creates pull request or pushes to branch
+ User->>+GH: Creates pull request / pushes to branch
+ GH->>+Config: Fetches pre-commit config
+ Config->>CI: Returns config with Detect-Secrets setup
+ CI->>DS: Requests secret scan
+ DS->>DS: Scans pull request / branch for secrets with custom plugins
+ alt Secrets Detected
+ DS-->>CI: Returns detected secrets
+ CI-->>GH: Reports status check as failed
+ GH-->>User: Prevents merge / push & reports status check
+ else No Secrets Detected
+ DS-->>CI: Returns clean result
+ CI-->>GH: Reports status check as passed
+ GH-->>User: Allows merge / push
+ end
+
+```
+Starter Kit:
+1. [Install our additional configurations (same as layer 1 and layer 2)](#2-install-our-additional-configurations)
+
+2. Register your repository on [pre-commit.ci](https://results.pre-commit.ci/)
+ 
+ After this, every time you push to a branch or create a pull request, pre-commit.ci will run a scan and report the results as a status check.
+
+ 
+
+ 
+
+3. [Protect your branch](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule)
+
+ After this, if status check fails, GitHub will prevent the merge or push to the protected branch.
+
+#### Attention for using Detect Secrets
+> 1.It does not [show all the same type of secrets in a same file to minimize noise](https://github.com/Yelp/detect-secrets/blob/master/docs/design.md#:~:text=Furthermore%2C%20this%20will%20not%20flag%20on%20every%20single%20usage%20of%20a%20given%20secret%20in%20a%20given%20file%2C%20to%20minimize%20noise.)
+>
+> This means sometimes it will only show one secret in a file even if there are multiple **same type of secrets** in the same file.
+> Audit tool will not show all the secrets due to this reason.
+>
+> **->** Thus, when you see a secret is detected, best practice is to **manually** check that file.
+
+> 2.Even though detect-secrets has strong secret-detect ability compared to other tools, it is still possible that detect-secrets will not show you a file that contains secrets due to a new type of secret not capable by current plugins.
+>
+> **->** Thus, the best practice is always to be careful as a developer and **manually** check the files that you think might contain secrets.
+>> `detect-secrets` is a backup approach to minimize the chance of pushing secrets to the cloud.
+
+#### Recommended Workflow
+1. At least use layer 3 (Server-side push to GitHub.com) to protect the main branch from being pushed or merged if any secrets are detected.
+2. If any secrets are detected during layer 3, you can:
+ - Clean the commit history of the branch
+ - To find out the files that needs clean, you can use layer 1's auditing feature as assistance
+ - If a secret has already been committed, visit
+ https://help.github.com/articles/removing-sensitive-data-from-a-repository
+3. Recommend to set up layer 2 (Git commit scan, client-side) for every developer
+ - It can minimize the chance of pushing secrets to the cloud
+ - Local files are easier to clean than GitHub commit history
+4. Layer 1 (Full scan and audit, client-side) can be involved during each stage
+ - It helps you generate, update or analyze baseline file for layer 2 and 3
+
+```mermaid
+sequenceDiagram
+ participant Dev as Developer
+ participant GH as GitHub
+ participant DS as Detect-Secrets
+ participant L1 as Layer 1 (Full Scan & Audit)
+ participant L2 as Layer 2 (Git Commit Scan)
+ participant L3 as Layer 3 (Server-side Push to GitHub)
+
+ Dev->>L3: Push/Merge to Main Branch
+ L3->>DS: Scan for Secrets
+ alt Secrets Detected in L3
+ DS-->>Dev: Secrets Detected
+ Dev->>L1: Use Auditing Feature to Identify Files for Cleaning
+ Dev->>Dev: Clean Commit History
+ Note over Dev: If a secret has already been committed, visit: https://help.github.com/articles/removing-sensitive-data-from-a-repository + Dev->>L2: Set Up Git Commit Scan + Note over Dev, L2: Minimize the chance of pushing secrets
Easier to clean local files than GitHub commit history + Dev->>L1: Involve Full Scan & Audit in Each Stage + Note over Dev, L1: Helps generate, update or analyze baseline file for L2 and L3 + Dev->>L3: Retry Push/Merge to Main Branch + else No Secrets Detected + DS-->>GH: No Secrets Detected + GH->>Dev: Allows Push/Merge to Main Branch + end + +``` + +#### More Configurations +Check out +1. [detect-secrets](https://github.com/Yelp/detect-secrets) +2. [pre-commit](https://pre-commit.com/) +3. [pre-commit.ci](https://pre-commit.ci/) ## Software Composition Analysis From fadf55e983322615b70050595a8b78c631d02d9a Mon Sep 17 00:00:00 2001 From: Jingchao Zhong <92573736+perryzjc@users.noreply.github.com> Date: Thu, 11 May 2023 17:05:57 -0700 Subject: [PATCH 03/16] Issue NASA-AMMOS#89: Update documentation for detect-secrets Configuration files (yaml, baseline file, and plugins) are stored at another repository: https://github.com/NASA-AMMOS/slim-config-detect-secrets --- continuous-testing/starter-kits/README.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/continuous-testing/starter-kits/README.md b/continuous-testing/starter-kits/README.md index d975e2c63..728f5625b 100644 --- a/continuous-testing/starter-kits/README.md +++ b/continuous-testing/starter-kits/README.md @@ -315,13 +315,14 @@ sequenceDiagram L3->>DS: Scan for Secrets alt Secrets Detected in L3 DS-->>Dev: Secrets Detected + Note over Dev: Manually check the file for same type of secrets Dev->>L1: Use Auditing Feature to Identify Files for Cleaning Dev->>Dev: Clean Commit History - Note over Dev: If a secret has already been committed, visit:
https://help.github.com/articles/removing-sensitive-data-from-a-repository + Note over Dev: If a secret has already been committed, refer:
https://help.github.com/articles/removing-sensitive-data-from-a-repository Dev->>L2: Set Up Git Commit Scan - Note over Dev, L2: Minimize the chance of pushing secrets
Easier to clean local files than GitHub commit history - Dev->>L1: Involve Full Scan & Audit in Each Stage - Note over Dev, L1: Helps generate, update or analyze baseline file for L2 and L3 + Note over Dev, L2: Minimizes chances of pushing secrets
Easier to clean local files than GitHub commit history + Dev->>L1: Use Full Scan & Audit at Each Stage + Note over Dev, L1: Assists in generating, updating or analyzing baseline file for L2 and L3 Dev->>L3: Retry Push/Merge to Main Branch else No Secrets Detected DS-->>GH: No Secrets Detected From d20ee6134a0dc0e0dab11d2d2570e358ef7e4550 Mon Sep 17 00:00:00 2001 From: Jingchao Zhong <92573736+perryzjc@users.noreply.github.com> Date: Fri, 19 May 2023 02:56:16 -0700 Subject: [PATCH 04/16] Issue #89: Update documentation for detect-secrets --- continuous-testing/starter-kits/README.md | 246 ++++++++++++++-------- 1 file changed, 154 insertions(+), 92 deletions(-) diff --git a/continuous-testing/starter-kits/README.md b/continuous-testing/starter-kits/README.md index 728f5625b..80aecb695 100644 --- a/continuous-testing/starter-kits/README.md +++ b/continuous-testing/starter-kits/README.md @@ -27,7 +27,7 @@ mindmap ``` -Our application of `detect-secrets` embraces a tri-layered approach, bolstered by customized plugins, to provide robust protection against potential secret leaks at the earliest stage. +Our application of `detect-secrets` embraces a tri-layered approach, bolstered by customized plugins ([full list of plugins available here](https://github.com/NASA-AMMOS/slim-detect-secrets/tree/exp#viewing-all-enabled-plugins)), to provide robust protection against potential secret leaks at the earliest stage. This page proposes three layers of secret scanning to help preventing secrets from being leaked on GitHub Three layers of protection are: @@ -41,15 +41,15 @@ flowchart TB User([fa:fa-user User]) subgraph UserWorkflow["User Workflow to Secure Secrets"] - Layer1["1. Layer 1: GitHub.com (server-side)"] - Layer2["2. Layer 2: Git commit scan (client-side)"] - Layer3["3. Layer 3: Full scan (client-side)"] + Layer1["Layer 1: Full scan (client-side)"] + Layer2["Layer 2: Git commit scan (client-side)"] + Layer3["Layer 3: GitHub.com (server-side)"] - Layer1 -->|If Secrets Detected| Clean1[Purge or Fix the commit manually] + Layer1 -->|If Secrets Detected| Clean3[Clean local file directly.] Layer2 -->|If Secrets Detected| Clean2[Clean local file directly.
Don't need to worry about cleaning commit history] - Layer3 -->|If Secrets Detected| Clean3[Clean local file directly.] + Layer3 -->|If Secrets Detected| Clean1[Purge or Fix the commit manually] - Secure["Only Main branch is in safe.
Secrets are leaked on other branch before cleaning"] + Secure["Only GitHub-Protected branch is in safe.
Secrets are leaked on other branch before cleaning"] Clean1 --> Secure SaveTime["It saves your time. And secrets are safe from GitHub"] @@ -72,8 +72,22 @@ flowchart TB style SaveTime fill:#5ABF9B,stroke:#333,stroke-width:2px style Secure fill:#AF3034,stroke:#333,stroke-width:2px ``` +> **Note**: Below three layers, are running on experimental version [slim-detect-secrets](https://github.com/NASA-AMMOS/slim-detect-secrets/tree/exp) which supports additional secret detection [plugins](https://github.com/NASA-AMMOS/slim-detect-secrets/tree/exp#viewing-all-enabled-plugins). +> +> They are: +> > * [AWS sensitive information]() (click for more information) +> > * Public IP Address +> > * Absolute Path +> > * Email Address +> > +> > Link to their [implementation](https://github.com/NASA-AMMOS/slim-detect-secrets/tree/exp/detect_secrets/plugins) and [test suites](https://github.com/NASA-AMMOS/slim-detect-secrets/tree/exp/tests/plugins) +> +> It is being tested by both [NASA-AMMOS/slim](https://github.com/NASA-AMMOS/slim) team and [Yelp/detect-secrets](https://github.com/Yelp/detect-secrets) team. +> Eventually, it will be merged into Yelp/detect-secrets. +> +> At that time, this document will be updated to use the official version of detect-secrets. #### Layer 1: Full Scan and Audit (Client-side) -The first layer initiates a direct scan on the developer's local environment. This is achieved through the `detect-secrets` tool, which scans the entire codebase and outputs a new baseline file containing any detected secrets. The developer can then audit this file to view detailed information about any detected secrets. Detailed documentation for Layer 1 +The first layer initiates a direct scan on the developer's local environment. This is achieved through the `detect-secrets` tool, which scans the entire codebase and outputs a new baseline file containing detected secrets. The developer can then audit this file to view detailed information about detected secrets. ```mermaid sequenceDiagram participant Dev as Developer @@ -98,61 +112,23 @@ sequenceDiagram ``` Starter Kit: -1. Install [detect-secrets](https://github.com/Yelp/detect-secrets) +1. Install experimental version of [slim-detect-secrets](https://github.com/NASA-AMMOS/slim-detect-secrets/tree/exp) ```bash -pip install detect-secrets -``` -##### 2. Install our additional configurations -cd to your project root directory -```bash -cd
+
+Now, you can commit your changes as usual. If any **new secrets** are detected, the commit will be prevented and the secrets will be reported.
+
+For example,
+
+
> **Note**: pre-commit hook block commit by comparing new secrets with the results in `.secrets.baseline` file. If you want to add new secret results, you need to update `.secrets.baseline` file by re-running the scan command and generate a new baseline file.
>
-> You can create an empty baseline file by running this command at a directory without secrets.
+> You can create an empty result baseline file by running this command at a directory without secrets.
#### Layer 3: Server-side Push to GitHub.com
-The final layer of our solution is a server-side pre-commit scan powered by `pre-commit.ci`. This scan is triggered whenever a developer pushes to a branch or creates a pull request. It uses the same `.pre-commit-config.yaml` file as Layer 2, ensuring consistency between local and server-side checks. If the scan detects any new secrets, it returns a status check. If the target branch is protected, GitHub uses this status check to decide whether the merge or push can proceed. Detailed documentation for Layer 3
-
-This multi-layered approach to secret scanning provides a robust and comprehensive secret detection system, reducing the risk of exposing sensitive information in your codebase. For a more in-depth explanation of each layer, please refer to the respective detailed documentation links.
+The final layer of our solution is a server-side pre-commit scan powered by [GitHub Action](https://github.com/features/actions). This scan is triggered whenever a developer pushes to a branch or creates a pull request. If the scan detects any new secrets, it can generate a not detailed report compared to layer 2 (for security concern), email to the developer, and report a status check to GitHub. The status check will prevent the developer from merging the pull request or pushing to the **protected** branch. This layer protects the protected branch from being polluted by secrets, but secrets can still be pushed to other branches.
```mermaid
sequenceDiagram
participant User as Developer
participant GH as GitHub
- participant Config as .pre-commit-config.yaml
- participant CI as pre-commit CI
+ participant Workflow as detect-secrets.yaml
+ participant GA as GitHub Action
participant DS as Detect-Secrets
Note over User,GH: Developer creates pull request or pushes to branch
User->>+GH: Creates pull request / pushes to branch
- GH->>+Config: Fetches pre-commit config
- Config->>CI: Returns config with Detect-Secrets setup
- CI->>DS: Requests secret scan
- DS->>DS: Scans pull request / branch for secrets with custom plugins
+ GH->>+Workflow: Triggers GitHub Action workflow
+ Workflow->>GA: Sets up and runs Detect-Secrets scan
+ GA->>DS: Requests secret scan
+ DS->>DS: Scans repository for secrets
alt Secrets Detected
- DS-->>CI: Returns detected secrets
- CI-->>GH: Reports status check as failed
- GH-->>User: Prevents merge / push & reports status check
+ DS-->>GA: Returns detected secrets
+ GA-->>GH: Fails status check
+ GH-->>User: Prevents merge / push & sends email notification
else No Secrets Detected
- DS-->>CI: Returns clean result
- CI-->>GH: Reports status check as passed
+ DS-->>GA: Returns clean result
+ GA-->>GH: Passes status check
GH-->>User: Allows merge / push
end
```
Starter Kit:
-1. [Install our additional configurations (same as layer 1 and layer 2)](#2-install-our-additional-configurations)
+1. Create a workflow file `detect-secrets.yaml` in `.github/workflows` directory from your repository root.
+```yaml
+name: Secret Detection Workflow
+on:
+ push:
+ branches:
+ - main
+ pull_request:
+ branches:
+ - main
+
+jobs:
+ secret-detection:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+
+ - name: Install necessary packages
+ run: |
+ # experimental version of slim-detect-secrets
+ pip install git+https://github.com/NASA-AMMOS/slim-detect-secrets.git@exp
+ pip install jq
+
+ - name: Scan repository for secrets
+ run: |
+ # scripts to scan repository for new secrets
+
+ # backup the list of known secrets
+ cp .secrets.baseline .secrets.new
+
+ # find the secrets in the repository
+ detect-secrets scan --baseline .secrets.new --exclude-files '.secrets.*' --exclude-files '.git*'
+
+ # if there is any difference between the known and newly detected secrets, break the build
+ # Function to compare secrets without listing them
+ compare_secrets() { diff <(jq -r '.results | keys[] as $key | "\($key),\(.[$key] | .[] | .hashed_secret)"' "$1" | sort) <(jq -r '.results | keys[] as $key | "\($key),\(.[$key] | .[] | .hashed_secret)"' "$2" | sort) >/dev/null; }
+
+ # Check if there's any difference between the known and newly detected secrets
+ if ! compare_secrets .secrets.baseline .secrets.new; then
+ echo "⚠️ Attention Required! ⚠️" >&2
+ echo "New secrets have been detected in your recent commit. Due to security concerns, we cannot display detailed information here and we cannot proceed until this issue is resolved." >&2
+ echo "" >&2
+ echo "Please follow the steps below on your local machine to reveal and handle the secrets:" >&2
+ echo "" >&2
+ echo "1️⃣ Run the 'detect-secrets' tool on your local machine. This tool will identify and clean up the secrets. You can find detailed instructions at this link: https://nasa-ammos.github.io/slim/continuous-testing/starter-kits/#detect-secrets" >&2
+ echo "" >&2
+ echo "2️⃣ After cleaning up the secrets, commit your changes and re-push your update to the repository." >&2
+ echo "" >&2
+ echo "Your efforts to maintain the security of our codebase are greatly appreciated!" >&2
+ exit 1
+ fi
+
+```
+This file is used to config the GitHub Action workflow. After this, GitHub will automatically run the workflow when you push to the branch or create a pull request.
+This template currently only supports `main` branch. If you want to use it for other branches, you need to change the `on` section.
+
+This workflow will run the `detect-secrets` tool on the GitHub server. If any new secrets are detected, it will:
+- Fail the status check
+
+
- After this, every time you push to a branch or create a pull request, pre-commit.ci will run a scan and report the results as a status check.
+2. [Protect your branch](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule)
-
-
-
+Recommend to manully double check detected files
due to "minimize noise" feature from detect-secrets Dev->>Dev: Clean Commit History Note over Dev: If a secret has already been committed, refer:
https://help.github.com/articles/removing-sensitive-data-from-a-repository Dev->>L2: Set Up Git Commit Scan @@ -335,7 +398,6 @@ sequenceDiagram Check out 1. [detect-secrets](https://github.com/Yelp/detect-secrets) 2. [pre-commit](https://pre-commit.com/) -3. [pre-commit.ci](https://pre-commit.ci/) ## Software Composition Analysis From d73d37ff9ae6a2d1afaed6117aebeb928af8aebc Mon Sep 17 00:00:00 2001 From: Jingchao Zhong <92573736+perryzjc@users.noreply.github.com> Date: Wed, 7 Jun 2023 08:42:54 -0700 Subject: [PATCH 05/16] Reorder the graph to go from layer 1 in the left to layer 3 in the right Solve this suggestion: https://github.com/NASA-AMMOS/slim/pull/95#discussion_r1212447090 --- continuous-testing/starter-kits/README.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/continuous-testing/starter-kits/README.md b/continuous-testing/starter-kits/README.md index 80aecb695..943dae17c 100644 --- a/continuous-testing/starter-kits/README.md +++ b/continuous-testing/starter-kits/README.md @@ -45,23 +45,23 @@ flowchart TB Layer2["Layer 2: Git commit scan (client-side)"] Layer3["Layer 3: GitHub.com (server-side)"] - Layer1 -->|If Secrets Detected| Clean3[Clean local file directly.] + Layer1 -->|If Secrets Detected| Clean1[Clean local file directly.] Layer2 -->|If Secrets Detected| Clean2[Clean local file directly.
Don't need to worry about cleaning commit history] - Layer3 -->|If Secrets Detected| Clean1[Purge or Fix the commit manually] - - Secure["Only GitHub-Protected branch is in safe.
Secrets are leaked on other branch before cleaning"] - Clean1 --> Secure + Layer3 -->|If Secrets Detected| Clean3[Purge or Fix the commit manually] SaveTime["It saves your time. And secrets are safe from GitHub"] + Clean1 --> SaveTime Clean2 --> SaveTime - Clean3 --> SaveTime + + Secure["Only GitHub-Protected branch is in safe.
Secrets are leaked on other branch before cleaning"] + Clean3--> Secure end User -->|At least use| Layer1 User -->|Helpful to use| Layer2 User -->|Optional to use| Layer3 - style User fill:#F6F5F3,stroke:#333,stroke-width:1px + style User fill:#F6F5F3,stroke:#333,stroke-width:1px style UserWorkflow fill:#AF7AC5,stroke:#333,stroke-width:2px style Layer1 fill:#F3B044,stroke:#333,stroke-width:2px,stroke-dasharray: 5 5 style Layer2 fill:#F3B044,stroke:#333,stroke-width:2px,stroke-dasharray: 5 5 @@ -71,6 +71,7 @@ flowchart TB style Clean3 fill:#5A88ED,stroke:#333,stroke-width:2px style SaveTime fill:#5ABF9B,stroke:#333,stroke-width:2px style Secure fill:#AF3034,stroke:#333,stroke-width:2px + ``` > **Note**: Below three layers, are running on experimental version [slim-detect-secrets](https://github.com/NASA-AMMOS/slim-detect-secrets/tree/exp) which supports additional secret detection [plugins](https://github.com/NASA-AMMOS/slim-detect-secrets/tree/exp#viewing-all-enabled-plugins). > From 981e6fd7ce796983670f4562963d095735d4e795 Mon Sep 17 00:00:00 2001 From: Jingchao Zhong <92573736+perryzjc@users.noreply.github.com> Date: Wed, 7 Jun 2023 08:43:25 -0700 Subject: [PATCH 06/16] Fix syntax Co-authored-by: Rishi Verma
-
-> **Note**: pre-commit hook block commit by comparing new secrets with the results in `.secrets.baseline` file. If you want to add new secret results, you need to update `.secrets.baseline` file by re-running the scan command and generate a new baseline file.
->
+> **Note**: The pre-commit hook blocks a commit by comparing new secrets with the results in the `.secrets.baseline` file. If new secrets are introduced, the hook will report them, but it does not automatically update the `.secrets.baseline` file. To update the baseline file with newly introduced secrets, you need to re-run the scan command in Layer 1 (step 2) and generate a new baseline file.
+>
> You can create an empty result baseline file by running this command at a directory without secrets.
#### Layer 3: Server-side Push to GitHub.com
From 9973401268a47e26bd92c619ee49f208f707e40b Mon Sep 17 00:00:00 2001
From: Jingchao Zhong <92573736+perryzjc@users.noreply.github.com>
Date: Thu, 8 Jun 2023 06:23:18 -0700
Subject: [PATCH 10/16] Simplify README.md about layer 3
---
continuous-testing/starter-kits/README.md | 57 +----------------------
1 file changed, 2 insertions(+), 55 deletions(-)
diff --git a/continuous-testing/starter-kits/README.md b/continuous-testing/starter-kits/README.md
index 98d7b58dd..55848b207 100644
--- a/continuous-testing/starter-kits/README.md
+++ b/continuous-testing/starter-kits/README.md
@@ -263,62 +263,9 @@ sequenceDiagram
```
Starter Kit:
-1. Create a workflow file `detect-secrets.yaml` in `.github/workflows` directory from your repository root.
-```yaml
-name: Secret Detection Workflow
-on:
- push:
- branches:
- - main
- pull_request:
- branches:
- - main
-
-jobs:
- secret-detection:
- runs-on: ubuntu-latest
- steps:
- - name: Checkout code
- uses: actions/checkout@v2
-
- - name: Install necessary packages
- run: |
- # experimental version of slim-detect-secrets
- pip install git+https://github.com/NASA-AMMOS/slim-detect-secrets.git@exp
- pip install jq
-
- - name: Scan repository for secrets
- run: |
- # scripts to scan repository for new secrets
-
- # backup the list of known secrets
- cp .secrets.baseline .secrets.new
-
- # find the secrets in the repository
- detect-secrets scan --baseline .secrets.new --exclude-files '.secrets.*' --exclude-files '.git*'
-
- # if there is any difference between the known and newly detected secrets, break the build
- # Function to compare secrets without listing them
- compare_secrets() { diff <(jq -r '.results | keys[] as $key | "\($key),\(.[$key] | .[] | .hashed_secret)"' "$1" | sort) <(jq -r '.results | keys[] as $key | "\($key),\(.[$key] | .[] | .hashed_secret)"' "$2" | sort) >/dev/null; }
-
- # Check if there's any difference between the known and newly detected secrets
- if ! compare_secrets .secrets.baseline .secrets.new; then
- echo "⚠️ Attention Required! ⚠️" >&2
- echo "New secrets have been detected in your recent commit. Due to security concerns, we cannot display detailed information here and we cannot proceed until this issue is resolved." >&2
- echo "" >&2
- echo "Please follow the steps below on your local machine to reveal and handle the secrets:" >&2
- echo "" >&2
- echo "1️⃣ Run the 'detect-secrets' tool on your local machine. This tool will identify and clean up the secrets. You can find detailed instructions at this link: https://nasa-ammos.github.io/slim/continuous-testing/starter-kits/#detect-secrets" >&2
- echo "" >&2
- echo "2️⃣ After cleaning up the secrets, commit your changes and re-push your update to the repository." >&2
- echo "" >&2
- echo "Your efforts to maintain the security of our codebase are greatly appreciated!" >&2
- exit 1
- fi
+1. Create a GitHub Action workflow file in `.github/workflows/` directory from your repository root. Visit the [detect-secrets Action](https://github.com/marketplace/actions/detect-secrets-action) in the GitHub Actions Marketplace for details on how to add it to your repository.
-```
-This file is used to config the GitHub Action workflow. After this, GitHub will automatically run the workflow when you push to the branch or create a pull request.
-This template currently only supports `main` branch. If you want to use it for other branches, you need to change the `on` section.
+After this, GitHub will automatically run the workflow when you push to the branch or create a pull request.
This workflow will run the `detect-secrets` tool on the GitHub server. If any new secrets are detected, it will:
- Fail the status check
From de962f1162cc30df7277eff670c49fad8bf4c72b Mon Sep 17 00:00:00 2001
From: Jingchao Zhong <92573736+perryzjc@users.noreply.github.com>
Date: Fri, 9 Jun 2023 17:08:29 -0700
Subject: [PATCH 11/16] Update README.md removing company information
Refer to this conversation:
https://github.com/NASA-AMMOS/slim/pull/95#discussion_r1224529636
---
continuous-testing/starter-kits/README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/continuous-testing/starter-kits/README.md b/continuous-testing/starter-kits/README.md
index 55848b207..dbe960099 100644
--- a/continuous-testing/starter-kits/README.md
+++ b/continuous-testing/starter-kits/README.md
@@ -7,7 +7,7 @@ This page contains starter kit information, which represent templates, code and
This section contains links to sample actions, templates and configurations that analyze and validate code for security flaws and sensitive information. Identifying security vulnerabilities and sensitive data is an [OSS cybersecurity](https://www.cisa.gov/uscert/ncas/alerts/aa22-137a) [best practice](https://appel.nasa.gov/2022/06/30/spotlight-on-lessons-learned-open-source-and-commercial-web-software-vulnerabilities/).
### Detect Secrets
-[detect-secrets](https://github.com/Yelp/detect-secrets), an open-source tool employed and recommended by leading technology companies such as [Microsoft](https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets/), [IBM](https://github.com/IBM/detect-secrets), and [Yelp](https://github.com/Yelp/detect-secrets), is instrumental in identifying sensitive information within project files. Its prowess lies in its extensible Python plugin API, which allows custom rules and heuristics to tackle a broad spectrum of secrets. Designed to scan the project's current state rather than the entire git history,
+[detect-secrets](https://github.com/Yelp/detect-secrets) is an industry leading tool to identify secure information included in source controlled files. Its prowess lies in its extensible Python plugin API, which allows custom rules and heuristics to tackle a broad spectrum of secrets. Designed to scan the project's current state rather than the entire git history,
it operates swiftly, making it ideal for continuous integration pipelines. Leveraging the concept of a "baseline file" (`.secrets.baseline`), it enables easy handling of known secrets and false positives, facilitating its gradual integration into existing projects.
```mermaid
From a70cac0ded980a6c10ca4e36f49a1a5c8b163bfb Mon Sep 17 00:00:00 2001
From: Jingchao Zhong <92573736+perryzjc@users.noreply.github.com>
Date: Fri, 9 Jun 2023 17:53:37 -0700
Subject: [PATCH 12/16] Update continuous-testing/starter-kits/README.md
Co-authored-by: Rishi Verma
> **Note**: The pre-commit hook blocks a commit by comparing new secrets with the results in the `.secrets.baseline` file. If new secrets are introduced, the hook will report them, but it does not automatically update the `.secrets.baseline` file. To update the baseline file with newly introduced secrets, you need to re-run the scan command in Layer 1 (step 2) and generate a new baseline file.
+
+> **Note**: during commit checks, detect secrets may not display all secrets present within a single file during a single scan. This can be to [minimize noise](https://github.com/Yelp/detect-secrets/blob/master/docs/design.md#potentialsecret), among other reasons. Thus if you have multiple violations of different types of secrets per file, multiple independent commits may be necessary to help identify all violations.
>
> You can create an empty result baseline file by running this command at a directory without secrets.
From 6549625ee6de5179ad3859ebe52c809a1ed5e108 Mon Sep 17 00:00:00 2001
From: Jingchao Zhong <92573736+perryzjc@users.noreply.github.com>
Date: Fri, 9 Jun 2023 18:13:11 -0700
Subject: [PATCH 15/16] Update continuous-testing/starter-kits/README.md
Co-authored-by: Rishi Verma