chore(LH-71029): Add gitleaks to protect against hardcoded secrets (#67)

* chore(lh-71029): add gitleaks pre-commit configuration, and install it as a Git hook * ci(lh-71029): add gitleaks to Github Actions * docs(lh-71029): add notes on Gitleaks license * ci(lh-71029): add gitleaks license
CiscoDevNet · Sep 29, 2023 · 17fec15 · 17fec15
1 parent e0b12ab
commit 17fec15
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 1 deletion.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -41,7 +41,17 @@ jobs:
           version: latest
           working-directory: provider
           skip-pkg-cache: true
-
+  scan-for-secrets:
+    name: Scan for Secrets
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}
   generate:
     name: Generate
     runs-on: ubuntu-latest

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.18.0
+    hooks:
+      - id: gitleaks
diff --git a/README.md b/README.md
@@ -21,6 +21,28 @@ Eventually the client will be moved to its own repo, but in the interest of hitt
 * tfenv 
   - macos install: `brew install tfenv`
 
+### Gitleaks
+
+We use [Gitleaks](https://github.com/gitleaks/gitleaks) to catch secrets being committed to the repository by accident. The first line of defense is before you ever push to GitHub using a pre-commit hook.
+
+Please enable the pre-commit hook before you commit anything to this repository, even in a branch.
+
+- Install `pre-commit`
+```
+brew install pre-commit
+```
+- Update the pre-commit configuration:
+```
+pre-commit autoupdate
+```
+- Install the pre-commit configuration as a pre-commit hook to your local Git repo:
+```
+pre-commit install
+```
+
+Now any commits you make will be scanned by Gitleaks
+
+
 ## Acceptance Tests
 
 **Acceptance tests will create real resources!**
@@ -123,3 +145,7 @@ To release a new version of the Terraform CDO Provider, perform the following st
   provider hashicorp/CiscoDevnet/cdo: required by this configuration but no version is selected
   ```
   - This means you have not setup the dev override properly, make sure your `~/.terraformrc` has the right override for the provider in question.
+
+## Gitleaks License
+
+The Gitleaks License is free, and stored in the `GITLEAKS_LICENSE` secret. In addition, it is saved to [Conjur](https://secrets.cisco.com/conjur/nonprod/eng/cdo/gitleaks-license). Speak to Jay, Doron, Siddhu, or Pedro to access it.