ci: fix scan for secrets

.gitlab-ci.yml

@@ -54,6 +54,9 @@ include:
   
   # lint
   - local: "/devops/osdu/scanners/lint-node.yml"
+  
+  # scan for secrets
+  - local: "/devops/osdu/scanners/scan-for-secrets-node.yml"
 
   # containerize
   - project: "osdu/platform/ci-cd-pipelines"

devops/docker/detect_secrets/README.md

@@ -117,4 +117,12 @@ $ docker run --rm -it -v $(pwd):/opt community.opengroup.org:5555/osdu/platform/
 
 ```bash
 $ docker run --rm -it -v $(pwd):/opt community.opengroup.org:5555/osdu/platform/domain-data-mgmt-services/seismic/seismic-dms-suite/seismic-store-service/seismic-store-service-detect-secrets:latest detect-secrets-hook --baseline /opt/devops/docker/detect_secrets/.secrets.baseline $(git ls-files)
+```
+
+##### False positives
+
+Add next comment above the line (in the proper file) that has been detected and is a false positives
+
+```
+pragma: allowlist nextline secret
 ```
\ No newline at end of file

devops/osdu/scanners/scan-for-secrets-node.yml

@@ -2,6 +2,8 @@ scan-for-secrets:
   image: community.opengroup.org:5555/osdu/platform/domain-data-mgmt-services/seismic/seismic-dms-suite/seismic-store-service/seismic-store-service-detect-secrets:latest
   tags: ["osdu-small"]
   stage: scan
-  needs: ['compile-and-unit-test']
+  needs:
+    - job: compile-and-unit-test
+      artifacts: false
   script:
-    - detect-secrets-hook --exclude-files devops/docker/detect_secrets/.secrets.baseline --exclude-files devops/osdu/scanners/scan-for-secrets-node.yml --exclude-files npm-shrinkwrap.json --exclude-files package.json --exclude-files devops/scripts/azure_jwt_client.py --exclude-files src/cloud/providers/azure/keyvault.ts --exclude-files tests/utest/cloud/azure/keyvault.ts --baseline devops/docker/detect_secrets/.secrets.baseline $(git ls-files)
\ No newline at end of file
+    - detect-secrets-hook --exclude-files npm-shrinkwrap.json --exclude-files package.json --exclude-files devops/osdu/scanners/scan-for-secrets-node.yml --baseline devops/docker/detect_secrets/.secrets.baseline $(git ls-files)
\ No newline at end of file

devops/scripts/azure_jwt_client.py

@@ -50,7 +50,8 @@ def get_invalid_token():
     }
     '''
 
-    return "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJkdW1teUBkdW1teS5jb20iLCJpc3MiOiJkdW1teUBkdW1teS5jb20iLCJhdWQiOiJkdW1teS5kdW1teS5jb20iLCJpYXQiOjE1NTYxMzcyNzMsImV4cCI6MTU1NjIzMDk3OSwicHJvdmlkZXIiOiJkdW1teS5jb20iLCJjbGllbnQiOiJkdW1teS5jb20iLCJ1c2VyaWQiOiJkdW1teXRlc3Rlci5jb20iLCJlbWFpbCI6ImR1bW15dGVzdGVyLmNvbSIsImF1dGh6IjoiIiwibGFzdG5hbWUiOiJkdW1teSIsImZpcnN0bmFtZSI6ImR1bW15IiwiY291bnRyeSI6IiIsImNvbXBhbnkiOiIiLCJqb2J0aXRsZSI6IiIsInN1YmlkIjoiZHVtbXlpZCIsImlkcCI6ImR1bW15IiwiaGQiOiJkdW1teS5jb20iLCJkZXNpZCI6ImR1bW15aWQiLCJjb250YWN0X2VtYWlsIjoiZHVtbXlAZHVtbXkuY29tIiwianRpIjoiNGEyMWYyYzItZjU5Yy00NWZhLTk0MTAtNDNkNDdhMTg4ODgwIn0.nkiyKtfXXxAlC60iDjXuB2EAGDfZiVglP-CyU1T4etc"
+    # pragma: allowlist nextline secret
+    return    "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJkdW1teUBkdW1teS5jb20iLCJpc3MiOiJkdW1teUBkdW1teS5jb20iLCJhdWQiOiJkdW1teS5kdW1teS5jb20iLCJpYXQiOjE1NTYxMzcyNzMsImV4cCI6MTU1NjIzMDk3OSwicHJvdmlkZXIiOiJkdW1teS5jb20iLCJjbGllbnQiOiJkdW1teS5jb20iLCJ1c2VyaWQiOiJkdW1teXRlc3Rlci5jb20iLCJlbWFpbCI6ImR1bW15dGVzdGVyLmNvbSIsImF1dGh6IjoiIiwibGFzdG5hbWUiOiJkdW1teSIsImZpcnN0bmFtZSI6ImR1bW15IiwiY291bnRyeSI6IiIsImNvbXBhbnkiOiIiLCJqb2J0aXRsZSI6IiIsInN1YmlkIjoiZHVtbXlpZCIsImlkcCI6ImR1bW15IiwiaGQiOiJkdW1teS5jb20iLCJkZXNpZCI6ImR1bW15aWQiLCJjb250YWN0X2VtYWlsIjoiZHVtbXlAZHVtbXkuY29tIiwianRpIjoiNGEyMWYyYzItZjU5Yy00NWZhLTk0MTAtNDNkNDdhMTg4ODgwIn0.nkiyKtfXXxAlC60iDjXuB2EAGDfZiVglP-CyU1T4etc"
 
 if __name__ == '__main__':
     get_id_token()
\ No newline at end of file

src/cloud/providers/azure/credentials.ts

@@ -87,6 +87,7 @@ export class AzureCredentials extends AbstractCredentials {
             form: {
                 grant_type: 'client_credentials',
                 client_id: clientID,
+                // pragma: allowlist nextline secret
                 client_secret: clientSecret,
                 resource: appResourceID
             },

src/cloud/providers/azure/keyvault.ts

@@ -24,6 +24,7 @@ export class Keyvault {
     public static REDIS_KEY = 'redis-password';
     public static SP_TENANT_ID = 'app-dev-sp-tenant-id';
     public static SP_CLIENT_ID = 'app-dev-sp-username';
+    // pragma: allowlist nextline secret
     public static SP_CLIENT_SECRET = 'app-dev-sp-password';
     public static SP_APP_RESOURCE_ID = 'aad-client-id';
     public static DATA_PARTITION_STORAGE_ACCOUNT_NAME = 'sdms-storage-account-name';

src/cloud/providers/google/secrets.ts

@@ -27,6 +27,7 @@ export class Secrets{
 
     public async getSecret(secretName: string, required = true): Promise<string> {
         try {
+            // pragma: allowlist nextline secret
             const [secret] = await this.client.accessSecretVersion({
                 name: `projects/${ConfigGoogle.SERVICE_CLOUD_PROJECT}/secrets/${secretName}/versions/latest`
             });

src/cloud/providers/ibm/credentials.ts

@@ -102,6 +102,7 @@ export class Credentials extends AbstractCredentials {
         );
         const crdntls = {
             username: IbmConfig.KEYCLOAK_USERNAME,
+            // pragma: allowlist nextline secret
             password: IbmConfig.KEYCLOAK_PASSWORD,
             grantType: IbmConfig.KEYCLOAK_GRANTTYPE,
             clientId: IbmConfig.KEYCLOAK_CLIENTID,

src/cloud/shared/queue.ts

@@ -34,6 +34,7 @@ export class StorageJobManager {
       };
 
       if (cacheParams.KEY) {
+         // pragma: allowlist nextline secret
          redisx['password'] = cacheParams.KEY;
          if (!cacheParams.DISABLE_TLS) {
             redisx['tls'] = { servername: cacheParams.ADDRESS };

tests/utest/cloud/azure/keyvault.ts

@@ -11,6 +11,7 @@ const mockRedisKey = 'mockRedisKey';
 const mockRedisHost= 'mockRedisHost';
 const mockSpTenantID = 'mockSpTenantID';
 const mockSpClientID = 'mockSpClientID';
+// pragma: allowlist nextline secret
 const mockSpClientSecret = 'mockSpClientSecret';
 const mockSpAppSourceID = 'mockSpAppSourceID';
 const mockSauthProvider = 'mockSauthProvider';