Commit 2c3937d5 authored by Daniel Perez's avatar Daniel Perez
Browse files

ci: fix scan for secrets

parent 0bf4ab4b
......@@ -54,6 +54,9 @@ include:
# lint
- local: "/devops/osdu/scanners/lint-node.yml"
# scan for secrets
- local: "/devops/osdu/scanners/scan-for-secrets-node.yml"
# containerize
- project: "osdu/platform/ci-cd-pipelines"
......
......@@ -117,4 +117,12 @@ $ docker run --rm -it -v $(pwd):/opt community.opengroup.org:5555/osdu/platform/
```bash
$ docker run --rm -it -v $(pwd):/opt community.opengroup.org:5555/osdu/platform/domain-data-mgmt-services/seismic/seismic-dms-suite/seismic-store-service/seismic-store-service-detect-secrets:latest detect-secrets-hook --baseline /opt/devops/docker/detect_secrets/.secrets.baseline $(git ls-files)
```
##### False positives
Add next comment above the line (in the proper file) that has been detected and is a false positives
```
pragma: allowlist nextline secret
```
\ No newline at end of file
......@@ -2,6 +2,8 @@ scan-for-secrets:
image: community.opengroup.org:5555/osdu/platform/domain-data-mgmt-services/seismic/seismic-dms-suite/seismic-store-service/seismic-store-service-detect-secrets:latest
tags: ["osdu-small"]
stage: scan
needs: ['compile-and-unit-test']
needs:
- job: compile-and-unit-test
artifacts: false
script:
- detect-secrets-hook --exclude-files devops/docker/detect_secrets/.secrets.baseline --exclude-files devops/osdu/scanners/scan-for-secrets-node.yml --exclude-files npm-shrinkwrap.json --exclude-files package.json --exclude-files devops/scripts/azure_jwt_client.py --exclude-files src/cloud/providers/azure/keyvault.ts --exclude-files tests/utest/cloud/azure/keyvault.ts --baseline devops/docker/detect_secrets/.secrets.baseline $(git ls-files)
\ No newline at end of file
- detect-secrets-hook --exclude-files npm-shrinkwrap.json --exclude-files package.json --exclude-files devops/osdu/scanners/scan-for-secrets-node.yml --baseline devops/docker/detect_secrets/.secrets.baseline $(git ls-files)
\ No newline at end of file
......@@ -50,7 +50,8 @@ def get_invalid_token():
}
'''
return "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJkdW1teUBkdW1teS5jb20iLCJpc3MiOiJkdW1teUBkdW1teS5jb20iLCJhdWQiOiJkdW1teS5kdW1teS5jb20iLCJpYXQiOjE1NTYxMzcyNzMsImV4cCI6MTU1NjIzMDk3OSwicHJvdmlkZXIiOiJkdW1teS5jb20iLCJjbGllbnQiOiJkdW1teS5jb20iLCJ1c2VyaWQiOiJkdW1teXRlc3Rlci5jb20iLCJlbWFpbCI6ImR1bW15dGVzdGVyLmNvbSIsImF1dGh6IjoiIiwibGFzdG5hbWUiOiJkdW1teSIsImZpcnN0bmFtZSI6ImR1bW15IiwiY291bnRyeSI6IiIsImNvbXBhbnkiOiIiLCJqb2J0aXRsZSI6IiIsInN1YmlkIjoiZHVtbXlpZCIsImlkcCI6ImR1bW15IiwiaGQiOiJkdW1teS5jb20iLCJkZXNpZCI6ImR1bW15aWQiLCJjb250YWN0X2VtYWlsIjoiZHVtbXlAZHVtbXkuY29tIiwianRpIjoiNGEyMWYyYzItZjU5Yy00NWZhLTk0MTAtNDNkNDdhMTg4ODgwIn0.nkiyKtfXXxAlC60iDjXuB2EAGDfZiVglP-CyU1T4etc"
# pragma: allowlist nextline secret
return "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJkdW1teUBkdW1teS5jb20iLCJpc3MiOiJkdW1teUBkdW1teS5jb20iLCJhdWQiOiJkdW1teS5kdW1teS5jb20iLCJpYXQiOjE1NTYxMzcyNzMsImV4cCI6MTU1NjIzMDk3OSwicHJvdmlkZXIiOiJkdW1teS5jb20iLCJjbGllbnQiOiJkdW1teS5jb20iLCJ1c2VyaWQiOiJkdW1teXRlc3Rlci5jb20iLCJlbWFpbCI6ImR1bW15dGVzdGVyLmNvbSIsImF1dGh6IjoiIiwibGFzdG5hbWUiOiJkdW1teSIsImZpcnN0bmFtZSI6ImR1bW15IiwiY291bnRyeSI6IiIsImNvbXBhbnkiOiIiLCJqb2J0aXRsZSI6IiIsInN1YmlkIjoiZHVtbXlpZCIsImlkcCI6ImR1bW15IiwiaGQiOiJkdW1teS5jb20iLCJkZXNpZCI6ImR1bW15aWQiLCJjb250YWN0X2VtYWlsIjoiZHVtbXlAZHVtbXkuY29tIiwianRpIjoiNGEyMWYyYzItZjU5Yy00NWZhLTk0MTAtNDNkNDdhMTg4ODgwIn0.nkiyKtfXXxAlC60iDjXuB2EAGDfZiVglP-CyU1T4etc"
if __name__ == '__main__':
get_id_token()
\ No newline at end of file
......@@ -87,6 +87,7 @@ export class AzureCredentials extends AbstractCredentials {
form: {
grant_type: 'client_credentials',
client_id: clientID,
// pragma: allowlist nextline secret
client_secret: clientSecret,
resource: appResourceID
},
......
......@@ -24,6 +24,7 @@ export class Keyvault {
public static REDIS_KEY = 'redis-password';
public static SP_TENANT_ID = 'app-dev-sp-tenant-id';
public static SP_CLIENT_ID = 'app-dev-sp-username';
// pragma: allowlist nextline secret
public static SP_CLIENT_SECRET = 'app-dev-sp-password';
public static SP_APP_RESOURCE_ID = 'aad-client-id';
public static DATA_PARTITION_STORAGE_ACCOUNT_NAME = 'sdms-storage-account-name';
......
......@@ -27,6 +27,7 @@ export class Secrets{
public async getSecret(secretName: string, required = true): Promise<string> {
try {
// pragma: allowlist nextline secret
const [secret] = await this.client.accessSecretVersion({
name: `projects/${ConfigGoogle.SERVICE_CLOUD_PROJECT}/secrets/${secretName}/versions/latest`
});
......
......@@ -102,6 +102,7 @@ export class Credentials extends AbstractCredentials {
);
const crdntls = {
username: IbmConfig.KEYCLOAK_USERNAME,
// pragma: allowlist nextline secret
password: IbmConfig.KEYCLOAK_PASSWORD,
grantType: IbmConfig.KEYCLOAK_GRANTTYPE,
clientId: IbmConfig.KEYCLOAK_CLIENTID,
......
......@@ -34,6 +34,7 @@ export class StorageJobManager {
};
if (cacheParams.KEY) {
// pragma: allowlist nextline secret
redisx['password'] = cacheParams.KEY;
if (!cacheParams.DISABLE_TLS) {
redisx['tls'] = { servername: cacheParams.ADDRESS };
......
......@@ -11,6 +11,7 @@ const mockRedisKey = 'mockRedisKey';
const mockRedisHost= 'mockRedisHost';
const mockSpTenantID = 'mockSpTenantID';
const mockSpClientID = 'mockSpClientID';
// pragma: allowlist nextline secret
const mockSpClientSecret = 'mockSpClientSecret';
const mockSpAppSourceID = 'mockSpAppSourceID';
const mockSauthProvider = 'mockSauthProvider';
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment