Added secret scanning to repo

sovity · Dec 6, 2022 · ae81681 · ae81681
1 parent b084a28
commit ae81681
Show file tree

Hide file tree

Showing 4 changed files with 186 additions and 0 deletions.
diff --git a/.github/workflows/secret_scan.yml b/.github/workflows/secret_scan.yml
@@ -0,0 +1,25 @@
+name: Scan for secrets
+
+on:
+  push:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  code-security-scan:
+    name: Code Security Scan
+    runs-on: ubuntu-20.04
+    strategy:
+      fail-fast: false
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Run vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          exit-code: '1'
+          ignore-unfixed: true
+          security-checks: secret
diff --git a/.pre-commit-README.md b/.pre-commit-README.md
@@ -0,0 +1,23 @@
+# Pre-Commit-Hook
+The defined pre-commit-hook prevents committing passwords to the repository. In case a password is detected
+git commit fails.
+
+## Install pre-commit
+1. Install pre-commit-hook tool
+   `$ pip install pre-commit`
+
+## Enable secret-scanning pre-commit hook
+1. Update pre-commit-hook
+   `$ pre-commit autoupdate`
+2. Enable defined pre-commit-hook
+   `$ pre-commit install`
+
+## On repository initialization of pre-commit hook with detect-secrets
+If no `.secrets.baseline` is present, simply generate it:
+1. `$ detect-secrets scan --disable-plugin KeywordDetector --disable-plugin AWSKeyDetector > .secrets.baseline`
+2. Use Notepad++ or IntelliJ-Editor to convert `.secrets.baseline` to UTF-8
+
+## Add false-positives or force adding secrets
+1. `$ detect-secrets scan --baseline .secrets.baseline`
+2. If secrets are identified, add them to .secrets.baseline manually
+   For more details see: https://github.com/Yelp/detect-secrets#adding-secrets-to-baseline
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,7 @@
+repos:
+  -   repo: https://github.com/Yelp/detect-secrets
+      rev: v1.4.0
+      hooks:
+        -   id: detect-secrets
+            args: ['--baseline', '.secrets.baseline']
+            exclude: package.lock.json
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -0,0 +1,131 @@
+{
+  "version": "1.4.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    }
+  ],
+  "results": {
+    "terraform\\terraform.tfstate.backup": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "terraform\\terraform.tfstate.backup",
+        "hashed_secret": "d9382ccd310be3886186f889ecf94f3994eb9529",
+        "is_verified": false,
+        "line_number": 101
+      },
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "terraform\\terraform.tfstate.backup",
+        "hashed_secret": "2803e1c27bcb762d1877c3c2b286a7aa1bd0d55c",
+        "is_verified": false,
+        "line_number": 118
+      }
+    ],
+    "terraform\\terraform.tfvars": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "terraform\\terraform.tfvars",
+        "hashed_secret": "d9382ccd310be3886186f889ecf94f3994eb9529",
+        "is_verified": false,
+        "line_number": 1
+      }
+    ]
+  },
+  "generated_at": "2022-12-06T12:00:42Z"
+}