Skip to content

Commit

Permalink
Merge pull request #79 from NASA-PDS/software-issues-repo#55
Browse files Browse the repository at this point in the history 
Add secrets detection
  • Loading branch information
@jordanpadams
jordanpadams authored Nov 26, 2023
2 parents e468086 + 8e97b52 commit 802836c
Show file tree
Hide file tree
Showing 3 changed files with 320 additions and 54 deletions.
77 changes: 77 additions & 0 deletions .github/workflows/secrets-detection.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
name: Secret Detection Workflow
on:
push:
branches:
- main
pull_request:
branches:
- main

jobs:
secret-detection:
runs-on: ubuntu-latest
steps:
-
name: Checkout code
uses: actions/checkout@v4
-
name: Install necessary packages
run: |
pip install git+https://github.com/NASA-AMMOS/slim-detect-secrets.git@exp
pip install jq
-
name: Create an initial .secrets.baseline if .secrets.baseline does not exist
run: |
if [ ! -f .secrets.baseline ]; then
# This generated baseline file will only be temporarily available on the GitHub side and will not appear in the user's local files.
# Scanning an empty folder to generate an initial .secrets.baseline without secrets in the results.
echo "⚠️ No existing .secrets.baseline file detected. Creating a new blank baseline file."
mkdir empty-dir
detect-secrets scan empty-dir > .secrets.baseline
echo "✅ Blank .secrets.baseline file created successfully."
rm -r empty-dir
else
echo "✅ Existing .secrets.baseline file detected. No new baseline file will be created."
fi
-
name: Scan repository for secrets
run: |
# scripts to scan repository for new secrets
# backup the list of known secrets
cp .secrets.baseline .secrets.new
# find the secrets in the repository
detect-secrets scan --disable-plugin AbsolutePathDetectorExperimental --baseline .secrets.new \
--exclude-files '\.secrets..*' \
--exclude-files '\.git.*' \
--exclude-files '\.pre-commit-config\.yaml' \
--exclude-files '\.mypy_cache' \
--exclude-files '\.pytest_cache' \
--exclude-files '\.tox' \
--exclude-files '\.venv' \
--exclude-files 'venv' \
--exclude-files 'dist' \
--exclude-files 'build' \
--exclude-files '.*\.egg-info'
# if there is any difference between the known and newly detected secrets, break the build
# Function to compare secrets without listing them
compare_secrets() { diff <(jq -r '.results | keys[] as $key | "\($key),\(.[$key] | .[] | .hashed_secret)"' "$1" | sort) <(jq -r '.results | keys[] as $key | "\($key),\(.[$key] | .[] | .hashed_secret)"' "$2" | sort) >/dev/null; }
# Check if there's any difference between the known and newly detected secrets
if ! compare_secrets .secrets.baseline .secrets.new; then
echo "⚠️ Attention Required! ⚠️" >&2
echo "New secrets have been detected in your recent commit. Due to security concerns, we cannot display detailed information here and we cannot proceed until this issue is resolved." >&2
echo "" >&2
echo "Please follow the steps below on your local machine to reveal and handle the secrets:" >&2
echo "" >&2
echo "1️⃣ Run the 'detect-secrets' tool on your local machine. This tool will identify and clean up the secrets. You can find detailed instructions at this link: https://nasa-ammos.github.io/slim/continuous-testing/starter-kits/#detect-secrets" >&2
echo "" >&2
echo "2️⃣ After cleaning up the secrets, commit your changes and re-push your update to the repository." >&2
echo "" >&2
echo "Your efforts to maintain the security of our codebase are greatly appreciated!" >&2
exit 1
fi
127 changes: 73 additions & 54 deletions .pre-commit-config.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,24 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
hooks:
- id: trailing-whitespace
exclude: REQUIREMENTS\.md$
- id: end-of-file-fixer
exclude: REQUIREMENTS\.md$
- id: check-executables-have-shebangs
- id: check-merge-conflict
- id: debug-statements
- id: check-yaml
files: .*\.(yaml|yml)$
- id: check-json
- id: pretty-format-json
# Although this is a Python repository, the source code isn't installed
# into a package (the `setup.cfg` is unmodified from the upstream template
# repo), and so many of the checks here fail. I'm commenting them out in
# case this becomes a proper Python package some day so we can turn them
# back on.

# - repo: https://github.com/pre-commit/pre-commit-hooks
# rev: v4.4.0
# hooks:
# - id: trailing-whitespace
# exclude: REQUIREMENTS\.md$
# - id: end-of-file-fixer
# exclude: REQUIREMENTS\.md$
# - id: check-executables-have-shebangs
# - id: check-merge-conflict
# - id: debug-statements
# - id: check-yaml
# files: .*\.(yaml|yml)$
# - id: check-json
# - id: pretty-format-json

- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.81.0
Expand All @@ -23,49 +29,62 @@ repos:
# - id: terrascan
# - id: terraform_tfsec

- repo: https://github.com/asottile/reorder_python_imports
rev: v2.6.0
hooks:
- id: reorder-python-imports
files: ^src/|tests/
# - repo: https://github.com/asottile/reorder_python_imports
# rev: v2.6.0
# hooks:
# - id: reorder-python-imports
# files: ^src/|tests/

- repo: local
hooks:
- id: mypy
name: mypy
entry: mypy src
language: system
pass_filenames: false
# - repo: local
# hooks:
# - id: mypy
# name: mypy
# entry: mypy src
# language: system
# pass_filenames: false

- repo: local
hooks:
- id: black
name: black
entry: black
files: ^src/|tests/
language: system
types: [python]
# - repo: local
# hooks:
# - id: black
# name: black
# entry: black
# files: ^src/|tests/
# language: system
# types: [python]

- repo: local
hooks:
- id: flake8
name: flake8
entry: flake8 src
language: system
pass_filenames: false
# - repo: local
# hooks:
# - id: flake8
# name: flake8
# entry: flake8 src
# language: system
# pass_filenames: false

- repo: local
hooks:
- id: tests
name: Tests
entry: pytest
language: system
stages: [push]
pass_filenames: false
# - repo: local
# hooks:
# - id: tests
# name: Tests
# entry: pytest
# language: system
# stages: [push]
# pass_filenames: false

# #65: support for git-secrets
- repo: https://github.com/awslabs/git-secrets.git
# We have to use an sha here instead of a tag because of awslabs/git-secrets#182
rev: b9e96b3212fa06aea65964ff0d5cda84ce935f38
- repo: https://github.com/NASA-AMMOS/slim-detect-secrets
# using commit id for now, will change to tag when official version is released
rev: 91e097ad4559ae6ab785c883dc5ed989202c7fbe
hooks:
- id: git-secrets
- id: detect-secrets
args:
- '--baseline'
- '.secrets.baseline'
- --exclude-files '\.secrets..*'
- --exclude-files '\.git.*'
- --exclude-files '\.pre-commit-config\.yaml'
- --exclude-files '\.mypy_cache'
- --exclude-files '\.pytest_cache'
- --exclude-files '\.tox'
- --exclude-files '\.venv'
- --exclude-files 'venv'
- --exclude-files 'dist'
- --exclude-files 'build'
- --exclude-files '.*\.egg-info'
170 changes: 170 additions & 0 deletions .secrets.baseline
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,170 @@
{
"version": "1.4.0",
"plugins_used": [
{
"name": "ArtifactoryDetector"
},
{
"name": "AWSKeyDetector"
},
{
"name": "AWSSensitiveInfoDetectorExperimental"
},
{
"name": "AzureStorageKeyDetector"
},
{
"name": "Base64HighEntropyString",
"limit": 4.5
},
{
"name": "BasicAuthDetector"
},
{
"name": "CloudantDetector"
},
{
"name": "DiscordBotTokenDetector"
},
{
"name": "EmailAddressDetector"
},
{
"name": "GitHubTokenDetector"
},
{
"name": "HexHighEntropyString",
"limit": 3.0
},
{
"name": "IbmCloudIamDetector"
},
{
"name": "IbmCosHmacDetector"
},
{
"name": "IPPublicDetector"
},
{
"name": "JwtTokenDetector"
},
{
"name": "KeywordDetector",
"keyword_exclude": ""
},
{
"name": "MailchimpDetector"
},
{
"name": "NpmDetector"
},
{
"name": "PrivateKeyDetector"
},
{
"name": "SendGridDetector"
},
{
"name": "SlackDetector"
},
{
"name": "SoftlayerDetector"
},
{
"name": "SquareOAuthDetector"
},
{
"name": "StripeDetector"
},
{
"name": "TwilioKeyDetector"
}
],
"filters_used": [
{
"path": "detect_secrets.filters.allowlist.is_line_allowlisted"
},
{
"path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
"min_level": 2
},
{
"path": "detect_secrets.filters.heuristic.is_indirect_reference"
},
{
"path": "detect_secrets.filters.heuristic.is_likely_id_string"
},
{
"path": "detect_secrets.filters.heuristic.is_lock_file"
},
{
"path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
},
{
"path": "detect_secrets.filters.heuristic.is_potential_uuid"
},
{
"path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
},
{
"path": "detect_secrets.filters.heuristic.is_sequential_string"
},
{
"path": "detect_secrets.filters.heuristic.is_swagger_file"
},
{
"path": "detect_secrets.filters.heuristic.is_templated_secret"
},
{
"path": "detect_secrets.filters.regex.should_exclude_file",
"pattern": [
"\\.secrets..*",
"\\.pre-commit-config\\.yaml",
"\\.git.*",
"\\.mypy_cache",
"\\.pytest_cache",
"\\.tox",
"\\.venv",
"venv",
"dist",
"build",
".*\\.egg-info"
]
}
],
"results": {
"setup.cfg": [
{
"type": "Email Address",
"filename": "setup.cfg",
"hashed_secret": "3a6d7aa49a8e4a2fe32a5cd0e53da9cb96bd8d29",
"is_verified": false,
"line_number": 22
}
],
"terraform/README.md": [
{
"type": "AWS Sensitive Information (Experimental Plugin)",
"filename": "terraform/README.md",
"hashed_secret": "f2d4e04179e44fa7386b985ac3c7ee4d95dfd65d",
"is_verified": false,
"line_number": 83
},
{
"type": "AWS Sensitive Information (Experimental Plugin)",
"filename": "terraform/README.md",
"hashed_secret": "058af5f48af6e6e280495dcf5b889f92dd36863d",
"is_verified": false,
"line_number": 84
},
{
"type": "AWS Sensitive Information (Experimental Plugin)",
"filename": "terraform/README.md",
"hashed_secret": "431aad08e6c7e9babc8c125c7504e5ba71dfe7a7",
"is_verified": false,
"line_number": 84
}
]
},
"generated_at": "2023-11-17T20:05:20Z"
}

0 comments on commit 802836c

Please sign in to comment.