Skip to content

Commit

Permalink
Added detect-secrets script to workflow
Browse files Browse the repository at this point in the history
Signed-off-by: Aashir Siddiqui <[email protected]>
  • Loading branch information
aashir21 committed Nov 26, 2024
1 parent f15a706 commit bbc0819
Show file tree
Hide file tree
Showing 4 changed files with 329 additions and 1 deletion.
6 changes: 6 additions & 0 deletions .github/workflows/pr-build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,12 @@ jobs:
run: |
echo $GITHUB_SHA > ./inttests.githash
- name: Turn script into an executable
run: chmod +x detect-secrets.sh

- name: Run the detect secrets script
run: ./detect-secrets.sh

- name: Setup Gradle
uses: gradle/actions/setup-gradle@v3
with:
Expand Down
84 changes: 84 additions & 0 deletions .secrets.baseline
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
{
"exclude": {
"files": "^.secrets.baseline$",
"lines": null
},
"plugins_used": [
{
"name": "AWSKeyDetector"
},
{
"name": "ArtifactoryDetector"
},
{
"name": "AzureStorageKeyDetector"
},
{
"base64_limit": 4.5,
"name": "Base64HighEntropyString"
},
{
"name": "BasicAuthDetector"
},
{
"name": "BoxDetector"
},
{
"name": "CloudantDetector"
},
{
"ghe_instance": "github.ibm.com",
"name": "GheDetector"
},
{
"name": "GitHubTokenDetector"
},
{
"hex_limit": 3,
"name": "HexHighEntropyString"
},
{
"name": "IbmCloudIamDetector"
},
{
"name": "IbmCosHmacDetector"
},
{
"name": "JwtTokenDetector"
},
{
"keyword_exclude": null,
"name": "KeywordDetector"
},
{
"name": "MailchimpDetector"
},
{
"name": "NpmDetector"
},
{
"name": "PrivateKeyDetector"
},
{
"name": "SlackDetector"
},
{
"name": "SoftlayerDetector"
},
{
"name": "SquareOAuthDetector"
},
{
"name": "StripeDetector"
},
{
"name": "TwilioKeyDetector"
}
],
"results": {},
"version": "0.13.1+ibm.62.dss",
"word_list": {
"file": null,
"hash": null
}
}
4 changes: 3 additions & 1 deletion build-locally.sh
Original file line number Diff line number Diff line change
Expand Up @@ -156,4 +156,6 @@ function build_obr {

mkdir -p $BASEDIR/temp
gradle_build
build_obr
build_obr

${BASEDIR}/detect-secrets.sh
236 changes: 236 additions & 0 deletions detect-secrets.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,236 @@
#!/usr/bin/env bash

#
# Copyright contributors to the Galasa project
#
# SPDX-License-Identifier: EPL-2.0
#

#-----------------------------------------------------------------------------------------
#
# Objectives: Detect secrets in every repo in galasa, this will prevent commiting any
# secrets to Github. If it finds any secrets, build should fail!
#
#-----------------------------------------------------------------------------------------

# Where is this script executing from ?
BASEDIR=$(dirname "$0")
pushd $BASEDIR 2>&1 >>/dev/null
BASEDIR=$(pwd)
popd 2>&1 >>/dev/null
# echo "Running from directory ${BASEDIR}"
export ORIGINAL_DIR=$(pwd)
# cd "${BASEDIR}"

cd "${BASEDIR}"
REPO_ROOT=$(pwd)

#-----------------------------------------------------------------------------------------
#
# Set Colors
#
#-----------------------------------------------------------------------------------------
bold=$(tput bold)
underline=$(tput sgr 0 1)
reset=$(tput sgr0)
red=$(tput setaf 1)
green=$(tput setaf 76)
white=$(tput setaf 7)
tan=$(tput setaf 202)
blue=$(tput setaf 25)

#-----------------------------------------------------------------------------------------
#
# Headers and Logging
#
#-----------------------------------------------------------------------------------------
underline() { printf "${underline}${bold}%s${reset}\n" "$@"; }
h1() { printf "\n${underline}${bold}${blue}%s${reset}\n" "$@"; }
h2() { printf "\n${underline}${bold}${white}%s${reset}\n" "$@"; }
debug() { printf "${white}[.] %s${reset}\n" "$@"; }
info() { printf "${white}[➜] %s${reset}\n" "$@"; }
success() { printf "${white}[${green}${white}] ${green}%s${reset}\n" "$@"; }
error() { printf "${white}[${red}${white}] ${red}%s${reset}\n" "$@"; }
warn() { printf "${white}[${tan}${white}] ${tan}%s${reset}\n" "$@"; }
bold() { printf "${bold}%s${reset}\n" "$@"; }
note() { printf "\n${underline}${bold}${blue}Note:${reset} ${blue}%s${reset}\n" "$@"; }

#-----------------------------------------------------------------------------------------
# Functions
#-----------------------------------------------------------------------------------------

function usage {
info "Syntax: detect-secrets.sh [OPTIONS]"
cat <<EOF
Options are:
-h | --help : Display this help text
EOF
}

function check_exit_code() {
# This function takes 2 parameters in the form:
# $1 an integer value of the returned exit code
# $2 an error message to display if $1 is not equal to 0
if [[ "$1" != "0" ]]; then
error "$2"
exit 1
fi
}

function check_if_python3_is_installed() {

h2 "Checking if python3 is installed"

if command -v python3 &>/dev/null; then
success "Python3 is already installed."
else
error "Please install Python3 to conitnue."
exit 1
fi
}

# Function to check if pip3 is installed
check_pip3_installed() {

h2 "Checking if pip3 is installed"

if ! command -v pip3 &> /dev/null; then
error "pip3 is not installed. Please install it to proceed."
exit 1
else
success "pip3 is installed."
fi
}

function check_if_detect_secrets_is_installed() {
h2 "Checking if detect-secrets is installed"

# Check if detect-secrets is installed in the virtual environment
if command -v detect-secrets &> /dev/null; then
info "detect-secrets is already installed."
else
info "detect-secrets is not installed. Installing now..."

# Install detect-secrets from IBM GitHub repository
pip3 install --upgrade "git+https://github.com/ibm/detect-secrets.git@master#egg=detect-secrets"

# Verify if the installation was successful
if command -v detect-secrets &> /dev/null; then
info "detect-secrets was installed correctly"
else
error "Failed to install detect-secrets"
deactivate
exit 1
fi
fi

success "OK"
}

function check_if_pre_commit_hook_is_installed() {

h2 "Checking if pre-commit hook is installed"

if command -v pre-commit &> /dev/null; then
info "pre-commit hook is already installed."
else
info "pre-commit hook is not installed. Installing now..."

# Install pre-commit hook
pip3 install pre-commit

if command -v pre-commit &> /dev/null; then
info "pre-commit hook was installed correctly"
info "Activating pre commit hook"
pre-commit install
else
error "Failed to install pre-commit hook"
exit 1
fi
fi

success "OK"
}

function remove_timestamp_from_secrets_baseline() {
h2 "Removing the timestamp from the secrets baseline file so it doesn't always cause a git change."

mkdir -p ${BASEDIR}/temp
rc=$?
check_exit_code $rc "Failed to create a temporary folder"

cat ${baseline_file} | grep -v "generated_at" >${BASEDIR}/temp/.secrets.baseline.temp
rc=$?
check_exit_code $rc "Failed to create a temporary file with no timestamp inside"

mv ${BASEDIR}/temp/.secrets.baseline.temp $1
rc=$?
check_exit_code $rc "Failed to overwrite the secrets baseline with one containing no timestamp inside."

success "secrets baseline timestamp content has been removed ok"
}

function check_secrets {
h2 "updating secrets baseline"
cd $REPO_ROOT
baseline_file=".secrets.baseline"

cmd="detect-secrets scan --update ${baseline_file}"
info "Running command $cmd"
$cmd
rc=$?
check_exit_code $rc "Failed to run detect-secrets. Please check it is installed properly"
success "updated secrets file"

h2 "running audit for secrets"
cmd="detect-secrets audit ${baseline_file}"
info "Running command $cmd"
$cmd
rc=$?
check_exit_code $rc "Failed to audit detect-secrets."

#Check all secrets have been audited
secrets=$(grep -c hashed_secret ${baseline_file})
audits=$(grep -c is_secret ${baseline_file})
if [[ "$secrets" != "$audits" ]]; then
error "Not all secrets found have been audited"
exit 1
fi

remove_timestamp_from_secrets_baseline ${baseline_file}

success "secrets audit complete"

}

#-----------------------------------------------------------------------------------------
# Process parameters
#-----------------------------------------------------------------------------------------

while [ "$1" != "" ]; do
case $1 in
-h | --help)
usage
exit
;;

*)
error "Unexpected argument $1"
usage
exit 1
;;
esac
shift
done

#-----------------------------------------------------------------------------------------
# Main logic.
#-----------------------------------------------------------------------------------------

h1 "Starting search in repos to detect secrets"
check_if_python3_is_installed
check_pip3_installed
check_if_detect_secrets_is_installed
check_if_pre_commit_hook_is_installed

check_secrets

0 comments on commit bbc0819

Please sign in to comment.