From f1c4e336e3f65ac4661f5d763fae0081a78d0497 Mon Sep 17 00:00:00 2001 From: Robert Rosca <32569096+RobertRosca@users.noreply.github.com> Date: Fri, 16 Feb 2024 11:26:44 +0100 Subject: [PATCH] ci: add secret scanning pre-commit hook --- .pre-commit-config.yaml | 10 ++- .secrets.baseline | 143 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 151 insertions(+), 2 deletions(-) create mode 100644 .secrets.baseline diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a5dfcbcf..c7f115c4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,8 +1,14 @@ repos: -- hooks: +- repo: https://github.com/commitizen-tools/commitizen + hooks: - id: commitizen - id: commitizen-branch stages: - push - repo: https://github.com/commitizen-tools/commitizen rev: v2.42.1 +- repo: https://github.com/Yelp/detect-secrets + rev: v1.4.0 + hooks: + - id: detect-secrets + args: ['--baseline', '.secrets.baseline', '--disable-filter', 'detect_secrets.filters.heuristic.is_likely_id_string'] + exclude: '(pnpm-lock.yaml|poetry.lock)' diff --git a/.secrets.baseline b/.secrets.baseline new file mode 100644 index 00000000..24203a33 --- /dev/null +++ b/.secrets.baseline @@ -0,0 +1,143 @@ +{ + "version": "1.4.0", + "plugins_used": [ + { + "name": "ArtifactoryDetector" + }, + { + "name": "AWSKeyDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "name": "Base64HighEntropyString", + "limit": 4.5 + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "CloudantDetector" + }, + { + "name": "DiscordBotTokenDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "name": "HexHighEntropyString", + "limit": 3.0 + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "name": "KeywordDetector", + "keyword_exclude": "" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SendGridDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "filters_used": [ + { + "path": "detect_secrets.filters.allowlist.is_line_allowlisted" + }, + { + "path": "detect_secrets.filters.common.is_baseline_file", + "filename": ".secrets.baseline" + }, + { + "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", + "min_level": 2 + }, + { + "path": "detect_secrets.filters.heuristic.is_indirect_reference" + }, + { + "path": "detect_secrets.filters.heuristic.is_likely_id_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_lock_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_potential_uuid" + }, + { + "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" + }, + { + "path": "detect_secrets.filters.heuristic.is_sequential_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_swagger_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_templated_secret" + }, + { + "path": "detect_secrets.filters.regex.should_exclude_file", + "pattern": [ + "poetry.lock|pnpm-lock.yaml" + ] + } + ], + "results": { + ".github/workflows/test.yml": [ + { + "type": "Secret Keyword", + "filename": ".github/workflows/test.yml", + "hashed_secret": "3e26d6750975d678acb8fa35a0f69237881576b0", + "is_verified": false, + "line_number": 40, + "is_secret": false + } + ], + "README.md": [ + { + "type": "Base64 High Entropy String", + "filename": "README.md", + "hashed_secret": "d22831678caaab1c0cc4b6ae73b2a0866be11a92", + "is_verified": false, + "line_number": 171, + "is_secret": false + } + ] + }, + "generated_at": "2024-02-16T10:25:06Z" +}