Merge pull request #963 from serverhorror/feature/enable-secret-scanning

Provide secret scanning for local setup

CHANGELOG.md

@@ -1,6 +1,7 @@
 # Changelog
 
 ### Added
+- Added secret scanning in docker plain ([#963](https://github.com/opendevstack/ods-quickstarters/pull/963))
 
 ### Modified
 

be-fe-mono-repo-plain/files/.pre-commit-config.yaml

@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.1
+    hooks:
+      - id: gitleaks

be-gateway-nginx/files/.pre-commit-config.yaml

@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.1
+    hooks:
+      - id: gitleaks

be-golang-plain/files/.pre-commit-config.yaml

@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.1
+    hooks:
+      - id: gitleaks

be-java-springboot/files/.pre-commit-config.yaml

@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.1
+    hooks:
+      - id: gitleaks

be-python-flask/files/.pre-commit-config.yaml

@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.1
+    hooks:
+      - id: gitleaks

be-scala-play/files/.pre-commit-config.yaml

@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.1
+    hooks:
+      - id: gitleaks

be-typescript-express/files/.pre-commit-config.yaml

@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.1
+    hooks:
+      - id: gitleaks

docker-plain/files/.pre-commit-config.yaml

@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.1
+    hooks:
+      - id: gitleaks

docs/modules/quickstarters/pages/be-gateway-nginx.adoc

@@ -14,6 +14,7 @@ Use this quickstarter when you want to use https://www.nginx.org[nginx] server w
 │   ├── entrypoint.sh - Enables runtime configurations and runs openresty
 │   └── nginx.conf - The nginx configuration
 ├── Jenkinsfile - Contains Jenkins build configuration
+├── .pre-commit-config.yaml
 ├── metadata.yml - Component metadata
 └── release-manager.yml - Configuration file for the Release Manager
 ----
@@ -122,6 +123,8 @@ There are two steps:
 * Build the container image.
 * Deploy.
 
+include::partial$secret-scanning-with-gitleaks.adoc
+
 == Builder agent used
 
 This quickstarter uses https://github.com/opendevstack/ods-core/tree/master/jenkins/agent-base[jenkins-agent-base]

docs/modules/quickstarters/pages/be-golang-plain.adoc

@@ -9,6 +9,7 @@ suited for CLI tools, network/operational related things and microservices.
 
 ----
 ├── Jenkinsfile - Contains Jenkins build configuration
+├── .pre-commit-config.yaml
 ├── README.md
 ├── docker - Contains Dockerfile for the build
 │   └── Dockerfile
@@ -56,6 +57,8 @@ There are six steps:
 * Build the container image.
 * Deploy.
 
+include::partial$secret-scanning-with-gitleaks.adoc
+
 == Builder agent used
 
 This quickstarter uses

docs/modules/quickstarters/pages/be-java-springboot.adoc

@@ -134,6 +134,8 @@ comment on line `stageUploadToNexus` in  `Jenkinsfile`
 NOTE: The 2nd step executes `gradlew build` to compile your project and create a distribution as `jar` file.
 This file is copied to the `docker` folder to be included in the docker image when the image is built in step 5.
 
+include::partial$secret-scanning-with-gitleaks.adoc
+
 == Builder agent used
 
 This quickstarter uses the

docs/modules/quickstarters/pages/be-python-flask.adoc

@@ -14,6 +14,7 @@ It contains the basic setup for Docker, Jenkins, SonarQube and OpenShift.
 
 ----
 ├── Jenkinsfile - This file contains Jenkins build configuration settings
+├── .pre-commit-config.yaml
 ├── README.md
 ├── docker - This folder contains Docker configuration settings
 │   ├── Dockerfile
@@ -111,6 +112,8 @@ The Jenkinsfile is provisioned with this quick starter to ease CI/CD process. In
 
 * *Build* - Builds the application: copies src folder into docker/dist folder.
 
+include::partial$secret-scanning-with-gitleaks.adoc
+
 == Builder agent used
 
 This quickstarter uses https://github.com/opendevstack/ods-quickstarters/tree/master/common/jenkins-agents/python[Python] builder agent Jenkins builder agent.

docs/modules/quickstarters/pages/be-scala-play.adoc

@@ -13,6 +13,7 @@ An example Play Web Application is generated with a Controller and some tests.
 ----
 .
 ├── Jenkinsfile
+├── .pre-commit-config.yaml
 ├── app
 │   ├── controllers
 │   │   └── HomeController.scala
@@ -83,6 +84,8 @@ In Jenkinsfile, there are various stages
 
 * stageBuild - checks source files formatting, runs the tests and builds and copies the artifacts for creating the docker image to the `docker` directory.
 
+include::partial$secret-scanning-with-gitleaks.adoc
+
 == Builder agent used
 
 This quickstarter uses the

docs/modules/quickstarters/pages/be-typescript-express.adoc

@@ -12,6 +12,7 @@ The package json is generated by simply using `npm init -y`, while the tsconfig
 
 ----
 ├── Jenkinsfile - Contains Jenkins build configuration
+├── .pre-commit-config.yaml
 ├── LICENSE
 ├── README.md
 ├── docker - Contains Dockerfile for the build
@@ -86,6 +87,8 @@ The build pipeline is defined in the `Jenkinsfile` in the project root. The main
 . Build :  `npm run build` command is executed to build the application and then the build is copied to the `docker/dist` folder.
 . Unit Testing : `npm run test` command is executed for running unit tests and to generate coverage report. The results can be seen form the Jenkins console output.
 
+include::partial$secret-scanning-with-gitleaks.adoc
+
 == Builder agent used
 
 This quickstarter uses https://github.com/opendevstack/ods-quickstarters/tree/master/common/jenkins-agents/nodejs18[Node.JS 18 builder agent] for Jenkins.

docs/modules/quickstarters/pages/docker-plain.adoc

@@ -10,6 +10,7 @@ or that you need to "OpenShiftify", by setting an (non-root) execution user, etc
 
 ----
 ├── Jenkinsfile - Contains Jenkins build configuration
+├── .pre-commit-config.yaml
 ├── README.md
 ├── docker - Contains Dockerfile for the build
 │   └── Dockerfile
@@ -75,6 +76,8 @@ Assuming your component contains source code you want to have delivered by the _
 
 Feel free to look out for examples in our existing quickstarters, such as link:https://github.com/opendevstack/ods-quickstarters/blob/master/be-java-springboot[be-java-springboot].
 
+include::partial$secret-scanning-with-gitleaks.adoc
+
 == Builder agent used
 
 none

docs/modules/quickstarters/pages/ds-jupyter-lab.adoc

@@ -9,6 +9,7 @@ Provision a shared Jupyter Lab within OpenShift for rapid prototyping of data sc
 ----
 .
 ├── Jenkinsfile
+├── .pre-commit-config.yaml
 ├── docker
 │   ├── Dockerfile
 │   ├── jupyter_lab_config.json
@@ -68,6 +69,8 @@ The build pipeline is defined in the `Jenkinsfile` in the project root. The main
 . Start OpenShift build
 . Deploy image to OpenShift
 
+include::partial$secret-scanning-with-gitleaks.adoc
+
 == Builder agent used
 
 https://github.com/opendevstack/ods-core/tree/master/jenkins/agent-base[jenkins-agent-base]

docs/modules/quickstarters/pages/ds-rshiny.adoc

@@ -9,6 +9,7 @@ Provisions a R Shiny application within OpenShift using OpenShift OAuth.
 ----
 .
 ├── Jenkinsfile - This file contains Jenkins build configuration settings
+├── .pre-commit-config.yaml
 ├── docker - This folder contains Docker configuration settings and main R Shiny app
 │   ├── Dockerfile
 │   └── app.R
@@ -47,6 +48,8 @@ The build pipeline is defined in the `Jenkinsfile` in the project root. The main
 . Start OpenShift build
 . Deploy image to OpenShift
 
+include::partial$secret-scanning-with-gitleaks.adoc
+
 == Builder agent used
 
 https://github.com/opendevstack/ods-core/tree/master/jenkins/agent-base[jenkins-agent-base]

docs/modules/quickstarters/pages/ds-streamlit.adoc

@@ -9,6 +9,7 @@ Provisions a streamlit based dashboard with authentication.
 ----
 .
 ├── Jenkinsfile
+├── .pre-commit-config.yaml
 ├── docker_streamlit
 │   └── Dockerfile
 ├── docker_oauth
@@ -95,6 +96,8 @@ In order to be sure that your code passes the linting stage execute or add it as
 
 * *Build* - Builds the application: copies src folder into docker_streamlit/dist folder.
 
+include::partial$secret-scanning-with-gitleaks.adoc
+
 == Builder agent used
 
 This quickstarter uses https://github.com/opendevstack/ods-quickstarters/tree/master/common/jenkins-agents/python[Python] builder agent Jenkins builder agent.

docs/modules/quickstarters/pages/e2e-cypress.adoc

@@ -33,6 +33,7 @@ This is a Cypress end-to-end testing project quickstarter with basic setup for h
 ├── cypress.env.json.template
 ├── cypress.json
 ├── Jenkinsfile
+├── .pre-commit-config.yaml
 ├── metadata.yml - Component metadata
 │── package.json
 ├── README.md
@@ -123,6 +124,8 @@ if (context.gitBranch == 'master' || context.gitBranch.startsWith('release/')) {
 
 You can find more information about using the Cypress Cloud in the official documentation for Cypress https://docs.cypress.io/guides/cloud/introduction.
 
+include::partial$secret-scanning-with-gitleaks.adoc
+
 == Builder agent used
 
 This quickstarter uses

docs/modules/quickstarters/pages/e2e-spock-geb.adoc

@@ -11,6 +11,7 @@ This is a spock, geb and unirest e2e testing project quickstarter with basic set
 ----
 .
 ├── Jenkinsfile
+├── .pre-commit-config.yaml
 ├── README.md
 ├── sonar-project.properties
 ├── src
@@ -133,6 +134,8 @@ In Jenkinsfile.template, there is the following stage:
 
 All the results are stashed and published through Jenkins jUnit publisher.
 
+include::partial$secret-scanning-with-gitleaks.adoc
+
 == Builder agent used
 
 This quickstarter uses the

docs/modules/quickstarters/pages/fe-angular.adoc

@@ -11,6 +11,7 @@ User this is a Angular project quickstarter if you want to build a frontend. It
 ----
 .
 ├── Jenkinsfile - This file contains Jenkins build configuration settings
+├── .pre-commit-config.yaml
 ├── README.md
 ├── angular.json - This file contains Angular project configuration settings
 ├── browserslist - This file is used by the build system to adjust CSS and JS output to support the specified browsers
@@ -86,6 +87,8 @@ Please note: By default the applciation is always build as full production build
 
 Please note: The support for *TSLint* has been removed from this quickstarter. Also Angular is not shipping a linter by default anymore. Please consider adding *ESLint* support or a formatter like *Prettier*. For adding ESLint simply type `ng add @angular-eslint/schematics`. For setting up Prettier please see https://prettier.io/docs/en/install.html.
 
+include::partial$secret-scanning-with-gitleaks.adoc
+
 == Builder agent used
 
 This quickstarter uses https://github.com/opendevstack/ods-quickstarters/tree/master/common/jenkins-agents/nodejs18[Node.js 18 builder agent] for Jenkins.

docs/modules/quickstarters/pages/fe-ionic.adoc

@@ -51,6 +51,7 @@ The files are generated using https://ionicframework.com/docs/cli/[Ionic CLI].
 ├── capacitor.config.xml - This file contains config settings for your mobile app, like package name and native preferences
 ├── ionic.config.json - This file contains Ionic project configuration
 ├── Jenkinsfile - This file contains Jenkins build configuration settings
+├── .pre-commit-config.yaml
 ├── karma.conf.js
 ├── metadata.yml - Component metadata
 ├── package.json - This file contains scripts to run and node packages dependencies for project
@@ -114,6 +115,8 @@ Unit Test:: Runs unit test cases by executing `npm run test` command. If any tes
 Lint:: Profiler that ensures code best practices by running `npm run lint` command, if linting is not passing, the build is marked as failed also.
 SonarQube Analysis:: Triggers a code quality analysis by transfering code and test coverage analysis data to SonarQube. By default files like `*.spec.ts`, `*.modules.ts` and `./src/environments/**` are excluded from the analysis, since they usually don't contain application logic. Please revisit `sonar-project.properties` to configure analysis inclusions and exclusions according to your project's needs.
 
+include::partial$secret-scanning-with-gitleaks.adoc
+
 == Builder agent used
 
 This quickstarter uses https://github.com/opendevstack/ods-quickstarters/tree/master/common/jenkins-agents/nodejs16[Node.js 16 builder agent] for Jenkins.

docs/modules/quickstarters/pages/inf-terraform-aws.adoc

@@ -14,6 +14,7 @@ The quickstarter includes kitchen-terraform with InSpec / cinc-auditor for testi
 
 ----
 ├── Jenkinsfile - This file contains Jenkins stages.
+├── .pre-commit-config.yaml
 ├── README.md
 ├── environments
 │   ├── dev.json - This file describes parameters for the development AWS environment.
@@ -42,7 +43,9 @@ Inject preferred tags into common-tags.tf, add/remove resources needed to main.t
 
 The Jenkinsfile is provisioned with this quick starter to ease CI/CD process. In Jenkinsfile, there are various stages.
 
-== Jenkins agent used
+include::partial$secret-scanning-with-gitleaks.adoc
+
+== Builder agent used
 
 This quickstarter uses https://github.com/opendevstack/ods-quickstarters/tree/master/common/jenkins-agents/terraform[terraform] Jenkins agent.
 

docs/modules/quickstarters/pages/inf-terraform-azure.adoc

@@ -14,6 +14,7 @@ The quickstarter includes kitchen-terraform with Chef InSpec / cinc-auditor for
 
 ----
 ├── Jenkinsfile - This file contains Jenkins stages.
+├── .pre-commit-config.yaml
 ├── README.md
 ├── environments
 │   ├── dev.tfbackend.config - This file describes terraform backend parameters in the dev Azure subscription.
@@ -48,7 +49,9 @@ Inject preferred tags into common-tags.tf, add/remove resources needed to main.t
 
 The Jenkinsfile is provisioned with this quickstarter to ease CI/CD process. In Jenkinsfile, there are various stages.
 
-== Jenkins agent used
+include::partial$secret-scanning-with-gitleaks.adoc
+
+== Builder agent used
 
 This quickstarter uses https://github.com/opendevstack/ods-quickstarters/tree/master/common/jenkins-agents/terraform[terraform] Jenkins agent.
 

docs/modules/quickstarters/pages/release-manager.adoc

@@ -8,6 +8,7 @@ The release manager supports the orchestration of multiple repositories into a l
 .
 ├── docs         # Fall-back document chapter templates for (LeVA) compliance reports.
 ├── Jenkinsfile  # The release manager pipeline.
+├── .pre-commit-config.yaml
 ├── README.md
 └── metadata.yml # Configuration of the release manager pipeline and its repositories.
 ----
@@ -133,3 +134,5 @@ In this case, the release manager will fall back to the document chapter templat
 === Automated Cloning of Environments
 
 If you want your _target environment_ to be created from an existing _source environment_ such as `dev` or `test` on the fly, you need to provide the `environment` and `sourceEnvironmentToClone` parameters to your pipeline, respectively. Their values will be combined with your project ID in the form `${project-id}-${environment}` to create the project (namespace) name in your OpenShift cluster.
+
+include::partial$secret-scanning-with-gitleaks.adoc

docs/modules/quickstarters/partials/secret-scanning-with-gitleaks.adoc

@@ -0,0 +1,13 @@
+== Secret scanning with gitleaks
+
+This repository has a pre-commit hook that runs gitleaks on every commit.
+To https://pre-commit.com/#install[install the hook], run:
+
+```
+pip install pre-commit
+pre-commit
+```
+
+After this every commit will inform you about any secrets that are committed.
+
+If you want to skip this check, use the `--no-verify` flag when committing.

ds-jupyter-lab/files/.pre-commit-config.yaml

@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.1
+    hooks:
+      - id: gitleaks

ds-rshiny/files/.pre-commit-config.yaml

@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.1
+    hooks:
+      - id: gitleaks

ds-streamlit/files/.pre-commit-config.yaml

@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.1
+    hooks:
+      - id: gitleaks

e2e-cypress/files/.pre-commit-config.yaml

@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.1
+    hooks:
+      - id: gitleaks

e2e-spock-geb/files/.pre-commit-config.yaml

@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.1
+    hooks:
+      - id: gitleaks

fe-angular/files/.pre-commit-config.yaml

@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.1
+    hooks:
+      - id: gitleaks

fe-ionic/files/.pre-commit-config.yaml

@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.1
+    hooks:
+      - id: gitleaks