Commit 81775c61 authored by Daniel Perez's avatar Daniel Perez
Browse files

Merge branch 'slb/dperez50/prevent-commit-secrets' into 'master'

ci: adding validations to prevent commit secrets

See merge request !144
parents 712d9ee8 00a5830b
Pipeline #52469 failed with stages
in 9 minutes and 8 seconds
......@@ -47,11 +47,15 @@ include:
- local: "devops/osdu/build/seismic-store-service.yml"
# scan
#fossa
# fossa
- local: "devops/osdu/scanners/fossa-node.yml"
#lint
# lint
- local: "/devops/osdu/scanners/lint-node.yml"
# scan for secrets
- local: "/devops/osdu/scanners/scan-for-secrets-node.yml"
# containerize
- project: "osdu/platform/ci-cd-pipelines"
file: "containerize/seismic-store-service.yml"
......
#!/bin/sh
. "$(dirname "$0")/_/husky.sh"
npx scan-for-secrets src
\ No newline at end of file
This diff is collapsed.
FROM alpine:3.12.0
WORKDIR /opt
RUN apk add --no-cache py3-pip git &&\
pip install detect-secrets
\ No newline at end of file
[![Detect Secrets](https://travis-ci.com/Yelp/detect-secrets.svg?branch=master)](https://travis-ci.com/Yelp/detect-secrets)
# detect-secrets
## About
`detect-secrets` is an aptly named module for **detecting secrets** within a
code base.
## Quickstart:
### Local environment
#### Python
Python required
##### Installation
```bash
$ pip install detect-secrets
```
##### Usage
###### Base files generation
This will generate the baseline file to be used by CI process:
1. Confirm file devops/docker/detect_secrets/.secrets.baseline does not exist.
2. From root path of the project run next command:
```bash
$ detect-secrets scan > devops/docker/detect_secrets/.secrets.baseline
```
###### Adding New Secrets to Baseline:
This will rescan your codebase, and:
1. Update/upgrade your baseline to be compatible with the latest version,
2. Add any new secrets it finds to your baseline,
3. Remove any secrets no longer in your codebase
This will also preserve any labelled secrets you have.
Remember to run this from root path of your project.
```bash
$ detect-secrets scan --baseline .secrets.baseline
```
#### Docker
Docker Required
##### Installation
```bash
$ docker build -t detectsecrets .
```
##### Usage
###### Base files generation
This will generate the baseline file to be used by CI process:
1. Confirm file devops/docker/detect_secrets/.secrets.baseline does not exist.
2. From root path of the project run next command:
```bash
$ docker run --rm -it -v $(pwd):/opt detectsecrets detect-secrets scan > /opt/devops/docker/detect_secrets/.secrets.baseline
```
###### Adding New Secrets to Baseline:
This will rescan your codebase, and:
1. Update/upgrade your baseline to be compatible with the latest version,
2. Add any new secrets it finds to your baseline,
3. Remove any secrets no longer in your codebase
This will also preserve any labelled secrets you have.
Remember to run this from root path of your project.
```bash
$ docker run --rm -it -v $(pwd):/opt detectsecres detect-secrets scan --baseline /opt/devops/docker/detect_secrets/.secrets.baseline
```
### CI
#### Docker
Docker Required
##### Image to be used
Image already has been built from the Dockerfile in this folder
```
community.opengroup.org:5555/osdu/platform/domain-data-mgmt-services/seismic/seismic-dms-suite/seismic-store-service/seismic-store-service-detect-secrets:latest
```
##### Usage
###### Alerting off newly added secrets:
**Scanning Staged Files Only:**
```bash
$ docker run --rm -it -v $(pwd):/opt community.opengroup.org:5555/osdu/platform/domain-data-mgmt-services/seismic/seismic-dms-suite/seismic-store-service/seismic-store-service-detect-secrets:latest detect-secrets-hook --baseline /opt/devops/docker/detect_secrets/.secrets.baseline $(git diff --staged --name-only)
```
**Scanning All Tracked Files:**
```bash
$ docker run --rm -it -v $(pwd):/opt community.opengroup.org:5555/osdu/platform/domain-data-mgmt-services/seismic/seismic-dms-suite/seismic-store-service/seismic-store-service-detect-secrets:latest detect-secrets-hook --baseline /opt/devops/docker/detect_secrets/.secrets.baseline $(git ls-files)
```
\ No newline at end of file
scan-for-secrets:
image: community.opengroup.org:5555/osdu/platform/domain-data-mgmt-services/seismic/seismic-dms-suite/seismic-store-service/seismic-store-service-detect-secrets:latest
tags: ["osdu-small"]
stage: scan
needs: ['compile-and-unit-test']
script:
- detect-secrets-hook --exclude-files devops/docker/detect_secrets/.secrets.baseline --exclude-files devops/osdu/scanners/scan-for-secrets-node.yml --baseline devops/docker/detect_secrets/.secrets.baseline $(git ls-files)
\ No newline at end of file
......@@ -5622,6 +5622,12 @@
}
}
},
"husky": {
"version": "7.0.1",
"resolved": "https://registry.npmjs.org/husky/-/husky-7.0.1.tgz",
"integrity": "sha512-gceRaITVZ+cJH9sNHqx5tFwbzlLCVxtVZcusME8JYQ8Edy5mpGDOqD8QBCdMhpyo9a+JXddnujQ4rpY2Ff9SJA==",
"dev": true
},
"iconv-lite": {
"version": "0.4.24",
"resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
......@@ -9234,6 +9240,12 @@
"resolved": "https://registry.npmjs.org/sax/-/sax-1.2.4.tgz",
"integrity": "sha512-NqVDv9TpANUjFm0N8uM5GxL36UgKi9/atZw+x7YFnQ8ckwFGKrl4xX4yWtrey3UJm5nP1kUbnYgLopqWNSRhWw=="
},
"scan-for-secrets": {
"version": "2.0.3",
"resolved": "https://registry.npmjs.org/scan-for-secrets/-/scan-for-secrets-2.0.3.tgz",
"integrity": "sha512-4pJW61DTUn5ONk4xwlh3j7c/pu0zKqFkNNTMYqh6V3WckdPCgWmnPGpsFSQOKzMhZ6jxYma8GRGznx8gQvtInA==",
"dev": true
},
"semaphore": {
"version": "1.1.0",
"resolved": "https://registry.npmjs.org/semaphore/-/semaphore-1.1.0.tgz",
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment