From ae816819de4ee61b506ca6e88fd0383c275ad2d1 Mon Sep 17 00:00:00 2001 From: AnurosePrakash Date: Tue, 6 Dec 2022 13:02:47 +0100 Subject: [PATCH] Added secret scanning to repo --- .github/workflows/secret_scan.yml | 25 ++++++ .pre-commit-README.md | 23 ++++++ .pre-commit-config.yaml | 7 ++ .secrets.baseline | 131 ++++++++++++++++++++++++++++++ 4 files changed, 186 insertions(+) create mode 100644 .github/workflows/secret_scan.yml create mode 100644 .pre-commit-README.md create mode 100644 .pre-commit-config.yaml create mode 100644 .secrets.baseline diff --git a/.github/workflows/secret_scan.yml b/.github/workflows/secret_scan.yml new file mode 100644 index 000000000..7011facd7 --- /dev/null +++ b/.github/workflows/secret_scan.yml @@ -0,0 +1,25 @@ +name: Scan for secrets + +on: + push: + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + code-security-scan: + name: Code Security Scan + runs-on: ubuntu-20.04 + strategy: + fail-fast: false + steps: + - name: Checkout code + uses: actions/checkout@v3 + - name: Run vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + exit-code: '1' + ignore-unfixed: true + security-checks: secret diff --git a/.pre-commit-README.md b/.pre-commit-README.md new file mode 100644 index 000000000..b0058628a --- /dev/null +++ b/.pre-commit-README.md @@ -0,0 +1,23 @@ +# Pre-Commit-Hook +The defined pre-commit-hook prevents committing passwords to the repository. In case a password is detected +git commit fails. + +## Install pre-commit +1. Install pre-commit-hook tool + `$ pip install pre-commit` + +## Enable secret-scanning pre-commit hook +1. Update pre-commit-hook + `$ pre-commit autoupdate` +2. Enable defined pre-commit-hook + `$ pre-commit install` + +## On repository initialization of pre-commit hook with detect-secrets +If no `.secrets.baseline` is present, simply generate it: +1. `$ detect-secrets scan --disable-plugin KeywordDetector --disable-plugin AWSKeyDetector > .secrets.baseline` +2. Use Notepad++ or IntelliJ-Editor to convert `.secrets.baseline` to UTF-8 + +## Add false-positives or force adding secrets +1. `$ detect-secrets scan --baseline .secrets.baseline` +2. If secrets are identified, add them to .secrets.baseline manually + For more details see: https://github.com/Yelp/detect-secrets#adding-secrets-to-baseline diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 000000000..bb53d905a --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,7 @@ +repos: + - repo: https://github.com/Yelp/detect-secrets + rev: v1.4.0 + hooks: + - id: detect-secrets + args: ['--baseline', '.secrets.baseline'] + exclude: package.lock.json diff --git a/.secrets.baseline b/.secrets.baseline new file mode 100644 index 000000000..aadd87dde --- /dev/null +++ b/.secrets.baseline @@ -0,0 +1,131 @@ +{ + "version": "1.4.0", + "plugins_used": [ + { + "name": "ArtifactoryDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "name": "Base64HighEntropyString", + "limit": 4.5 + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "CloudantDetector" + }, + { + "name": "DiscordBotTokenDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "name": "HexHighEntropyString", + "limit": 3.0 + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SendGridDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "filters_used": [ + { + "path": "detect_secrets.filters.allowlist.is_line_allowlisted" + }, + { + "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", + "min_level": 2 + }, + { + "path": "detect_secrets.filters.heuristic.is_indirect_reference" + }, + { + "path": "detect_secrets.filters.heuristic.is_likely_id_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_lock_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_potential_uuid" + }, + { + "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" + }, + { + "path": "detect_secrets.filters.heuristic.is_sequential_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_swagger_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_templated_secret" + } + ], + "results": { + "terraform\\terraform.tfstate.backup": [ + { + "type": "Base64 High Entropy String", + "filename": "terraform\\terraform.tfstate.backup", + "hashed_secret": "d9382ccd310be3886186f889ecf94f3994eb9529", + "is_verified": false, + "line_number": 101 + }, + { + "type": "Base64 High Entropy String", + "filename": "terraform\\terraform.tfstate.backup", + "hashed_secret": "2803e1c27bcb762d1877c3c2b286a7aa1bd0d55c", + "is_verified": false, + "line_number": 118 + } + ], + "terraform\\terraform.tfvars": [ + { + "type": "Base64 High Entropy String", + "filename": "terraform\\terraform.tfvars", + "hashed_secret": "d9382ccd310be3886186f889ecf94f3994eb9529", + "is_verified": false, + "line_number": 1 + } + ] + }, + "generated_at": "2022-12-06T12:00:42Z" +}