From 432f63ce5715172bbbd5f7e03f538bba27103a63 Mon Sep 17 00:00:00 2001
From: Abram Phelon <abramp6877@gmail.com>
Date: Mon, 5 Jun 2023 11:18:49 -0600
Subject: [PATCH 1/2] CORE-4384

---
 .github/CODEOWNERS                |  1 +
 .github/workflows/ripsecrets.yaml | 22 ++++++++++++++++++++++
 .pre-commit-config.yaml           |  7 +++++++
 .secretsignore                    |  4 ++++
 README.md                         |  7 +++++++
 5 files changed, 41 insertions(+)
 create mode 100644 .github/CODEOWNERS
 create mode 100644 .github/workflows/ripsecrets.yaml
 create mode 100644 .pre-commit-config.yaml
 create mode 100644 .secretsignore

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 00000000..b0e58d10
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1 @@
+/.github/*  @bombbomb/Dev-Admins
\ No newline at end of file
diff --git a/.github/workflows/ripsecrets.yaml b/.github/workflows/ripsecrets.yaml
new file mode 100644
index 00000000..668de896
--- /dev/null
+++ b/.github/workflows/ripsecrets.yaml
@@ -0,0 +1,22 @@
+name: RipSecrets
+on: [pull_request]
+jobs:
+  ripsecrets:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Download ripsecrets
+        run: |
+          wget https://s3.amazonaws.com/static.bombbomb.com/ci/ripsecrets.tar.gz
+          tar -xzf ripsecrets.tar.gz
+          chmod +x ripsecrets
+          sudo mv ripsecrets /usr/local/bin
+
+      - name: Run ripsecrets
+        run: |
+          ripsecrets `git diff origin/${{ github.base_ref }} --name-only --diff-filter=ACM`
\ No newline at end of file
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 00000000..1a0ac8f8
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,7 @@
+repos:
+-   repo: https://github.com/sirwart/ripsecrets
+    rev: v0.1.5  # Use latest tag on GitHub
+    hooks:
+    -   id: ripsecrets
+        stages: [commit]
+
diff --git a/.secretsignore b/.secretsignore
new file mode 100644
index 00000000..2acf1c62
--- /dev/null
+++ b/.secretsignore
@@ -0,0 +1,4 @@
+#full filepaths go here
+
+[secrets]
+#individual secrets go here
\ No newline at end of file
diff --git a/README.md b/README.md
index dc78e91b..61a2fc00 100644
--- a/README.md
+++ b/README.md
@@ -176,3 +176,10 @@ If the filename ends with `.url` suffix, the content will be processed as an URL
   - description: Set to true to enable pulling of 5XX response content from config map. Used in case if the filename ends with `.url` suffix (Please refer to the `*.url` feature here.)
   - required: false
   - type: boolean
+
+RipSecrets<br><br>
+We implement pipeline secret scanning on all pull request events to prevent credentials from being merged. If the pipeline scanner detects a secret in your changed files it will gate the pull request and you will need to purge the found credential from your code and re-open the PR. To prevent getting gated by this tool and as best practice you should install the secret scanner locally in a pre-commit hook to prevent the secret from ever being committed to the repo in the first place. You can find documentation on how to set it up locally [here](https://bombbomb.atlassian.net/wiki/spaces/CORE/pages/2039775312/Pipeline+Secret+Scanner+Local+Setup)<br>
+Ripsecrets has ways to bypass secret scanning although we should not be ignoring secrets that turn up in the scans. If something is out of your control and blocking the pipeline you can bypass it in one of the following ways<br>
+1. Adding "# pragma: allowlist secret" to the end of the line with the secret.<br>
+2. Adding the specific secret underneath the "[secrets]" block in .secretsignore<br>
+3. Adding the filepath to ignore the whole file aboove the "[secrets]" block in .secretsignore
\ No newline at end of file

From 946075c8b155ee44b54cb60427b69b1174ad3464 Mon Sep 17 00:00:00 2001
From: Abram Phelon <abramp6877@gmail.com>
Date: Mon, 5 Jun 2023 23:38:13 -0600
Subject: [PATCH 2/2] update cdn

---
 .github/workflows/ripsecrets.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ripsecrets.yaml b/.github/workflows/ripsecrets.yaml
index 668de896..0572e59e 100644
--- a/.github/workflows/ripsecrets.yaml
+++ b/.github/workflows/ripsecrets.yaml
@@ -12,7 +12,7 @@ jobs:
 
       - name: Download ripsecrets
         run: |
-          wget https://s3.amazonaws.com/static.bombbomb.com/ci/ripsecrets.tar.gz
+          wget https://static.bombbomb.com/ci/ripsecrets.tar.gz
           tar -xzf ripsecrets.tar.gz
           chmod +x ripsecrets
           sudo mv ripsecrets /usr/local/bin