-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
detect secrets should be used in this project. Setting a baseline
Signed-off-by: Mike Cobbett <77053+techcobweb@users.noreply.github.com>
- Loading branch information
1 parent
b933bde
commit 4efa710
Showing
2 changed files
with
353 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,211 @@ | ||
{ | ||
"exclude": { | ||
"files": "^.secrets.baseline$", | ||
"lines": null | ||
}, | ||
"plugins_used": [ | ||
{ | ||
"name": "AWSKeyDetector" | ||
}, | ||
{ | ||
"name": "ArtifactoryDetector" | ||
}, | ||
{ | ||
"name": "AzureStorageKeyDetector" | ||
}, | ||
{ | ||
"base64_limit": 4.5, | ||
"name": "Base64HighEntropyString" | ||
}, | ||
{ | ||
"name": "BasicAuthDetector" | ||
}, | ||
{ | ||
"name": "BoxDetector" | ||
}, | ||
{ | ||
"name": "CloudantDetector" | ||
}, | ||
{ | ||
"ghe_instance": "github.ibm.com", | ||
"name": "GheDetector" | ||
}, | ||
{ | ||
"name": "GitHubTokenDetector" | ||
}, | ||
{ | ||
"hex_limit": 3, | ||
"name": "HexHighEntropyString" | ||
}, | ||
{ | ||
"name": "IbmCloudIamDetector" | ||
}, | ||
{ | ||
"name": "IbmCosHmacDetector" | ||
}, | ||
{ | ||
"name": "JwtTokenDetector" | ||
}, | ||
{ | ||
"keyword_exclude": null, | ||
"name": "KeywordDetector" | ||
}, | ||
{ | ||
"name": "MailchimpDetector" | ||
}, | ||
{ | ||
"name": "NpmDetector" | ||
}, | ||
{ | ||
"name": "PrivateKeyDetector" | ||
}, | ||
{ | ||
"name": "SlackDetector" | ||
}, | ||
{ | ||
"name": "SoftlayerDetector" | ||
}, | ||
{ | ||
"name": "SquareOAuthDetector" | ||
}, | ||
{ | ||
"name": "StripeDetector" | ||
}, | ||
{ | ||
"name": "TwilioKeyDetector" | ||
} | ||
], | ||
"results": { | ||
"Casks/g/galasactl.rb": [ | ||
{ | ||
"hashed_secret": "83284a5406883b67766b7e94d345f9409942d84a", | ||
"is_secret": false, | ||
"is_verified": false, | ||
"line_number": 6, | ||
"type": "Hex High Entropy String", | ||
"verified_result": null | ||
}, | ||
{ | ||
"hashed_secret": "e69e8ff55c406ec90a7f38843b96497c07069e44", | ||
"is_secret": false, | ||
"is_verified": false, | ||
"line_number": 7, | ||
"type": "Hex High Entropy String", | ||
"verified_result": null | ||
} | ||
], | ||
"Casks/g/galasactl@0.33.0.rb": [ | ||
{ | ||
"hashed_secret": "bb1bfaa5682b608179d35c219b2727d09b4ca4ea", | ||
"is_secret": false, | ||
"is_verified": false, | ||
"line_number": 6, | ||
"type": "Hex High Entropy String", | ||
"verified_result": null | ||
}, | ||
{ | ||
"hashed_secret": "0639df56ffc1bb86d8fce8e579a147203b62b804", | ||
"is_secret": false, | ||
"is_verified": false, | ||
"line_number": 7, | ||
"type": "Hex High Entropy String", | ||
"verified_result": null | ||
} | ||
], | ||
"Casks/g/galasactl@0.34.0.rb": [ | ||
{ | ||
"hashed_secret": "c1ad569592ebca9f749c7b28775f62e8711b8cbf", | ||
"is_secret": false, | ||
"is_verified": false, | ||
"line_number": 6, | ||
"type": "Hex High Entropy String", | ||
"verified_result": null | ||
}, | ||
{ | ||
"hashed_secret": "e6f334ca38a65ff8e24412141019e835e2e7907a", | ||
"is_secret": false, | ||
"is_verified": false, | ||
"line_number": 7, | ||
"type": "Hex High Entropy String", | ||
"verified_result": null | ||
} | ||
], | ||
"Casks/g/galasactl@0.34.1.rb": [ | ||
{ | ||
"hashed_secret": "aacb017e1e456863d366c0f5e3995b00692d3d32", | ||
"is_secret": false, | ||
"is_verified": false, | ||
"line_number": 6, | ||
"type": "Hex High Entropy String", | ||
"verified_result": null | ||
}, | ||
{ | ||
"hashed_secret": "efc35e0c31d1c41304b2707db78e518f1130bbc4", | ||
"is_secret": false, | ||
"is_verified": false, | ||
"line_number": 7, | ||
"type": "Hex High Entropy String", | ||
"verified_result": null | ||
} | ||
], | ||
"Casks/g/galasactl@0.35.0.rb": [ | ||
{ | ||
"hashed_secret": "8925b8501ad17d10e2603a43947c312b8f9f1ecc", | ||
"is_secret": false, | ||
"is_verified": false, | ||
"line_number": 6, | ||
"type": "Hex High Entropy String", | ||
"verified_result": null | ||
}, | ||
{ | ||
"hashed_secret": "b1f341eeec92753e61fc917fc94ac540e160bb9b", | ||
"is_secret": false, | ||
"is_verified": false, | ||
"line_number": 7, | ||
"type": "Hex High Entropy String", | ||
"verified_result": null | ||
} | ||
], | ||
"Casks/g/galasactl@0.36.0.rb": [ | ||
{ | ||
"hashed_secret": "5205f4320207b08a0e307bb971f8337180d6edcf", | ||
"is_secret": false, | ||
"is_verified": false, | ||
"line_number": 6, | ||
"type": "Hex High Entropy String", | ||
"verified_result": null | ||
}, | ||
{ | ||
"hashed_secret": "8906b45a0afff04142bb4e9eddc71e5d281faa5c", | ||
"is_secret": false, | ||
"is_verified": false, | ||
"line_number": 7, | ||
"type": "Hex High Entropy String", | ||
"verified_result": null | ||
} | ||
], | ||
"Casks/g/galasactl@0.37.0.rb": [ | ||
{ | ||
"hashed_secret": "83284a5406883b67766b7e94d345f9409942d84a", | ||
"is_secret": false, | ||
"is_verified": false, | ||
"line_number": 6, | ||
"type": "Hex High Entropy String", | ||
"verified_result": null | ||
}, | ||
{ | ||
"hashed_secret": "e69e8ff55c406ec90a7f38843b96497c07069e44", | ||
"is_secret": false, | ||
"is_verified": false, | ||
"line_number": 7, | ||
"type": "Hex High Entropy String", | ||
"verified_result": null | ||
} | ||
] | ||
}, | ||
"version": "0.13.1+ibm.62.dss", | ||
"word_list": { | ||
"file": null, | ||
"hash": null | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,142 @@ | ||
#! /usr/bin/env bash | ||
|
||
# | ||
# Copyright contributors to the Galasa project | ||
# | ||
# SPDX-License-Identifier: EPL-2.0 | ||
# | ||
#----------------------------------------------------------------------------------------- | ||
# | ||
# Objectives: Build this repository code locally. | ||
# | ||
#----------------------------------------------------------------------------------------- | ||
|
||
# Where is this script executing from ? | ||
BASEDIR=$(dirname "$0");pushd $BASEDIR 2>&1 >> /dev/null ;BASEDIR=$(pwd);popd 2>&1 >> /dev/null | ||
Check failure on line 15 in build-locally.sh GitHub Actions / test-bot (ubuntu-22.04)
Check failure on line 15 in build-locally.sh GitHub Actions / test-bot (ubuntu-22.04)
Check failure on line 15 in build-locally.sh GitHub Actions / test-bot (ubuntu-22.04)
Check failure on line 15 in build-locally.sh GitHub Actions / test-bot (ubuntu-22.04)
Check failure on line 15 in build-locally.sh GitHub Actions / test-bot (ubuntu-22.04)
|
||
# echo "Running from directory ${BASEDIR}" | ||
export ORIGINAL_DIR=$(pwd) | ||
# cd "${BASEDIR}" | ||
|
||
cd "${BASEDIR}/.." | ||
WORKSPACE_DIR=$(pwd) | ||
cd $BASEDIR | ||
|
||
|
||
#----------------------------------------------------------------------------------------- | ||
# | ||
# Set Colors | ||
# | ||
#----------------------------------------------------------------------------------------- | ||
bold=$(tput bold) | ||
underline=$(tput sgr 0 1) | ||
reset=$(tput sgr0) | ||
red=$(tput setaf 1) | ||
green=$(tput setaf 76) | ||
white=$(tput setaf 7) | ||
tan=$(tput setaf 202) | ||
blue=$(tput setaf 25) | ||
|
||
#----------------------------------------------------------------------------------------- | ||
# | ||
# Headers and Logging | ||
# | ||
#----------------------------------------------------------------------------------------- | ||
underline() { printf "${underline}${bold}%s${reset}\n" "$@" ;} | ||
h1() { printf "\n${underline}${bold}${blue}%s${reset}\n" "$@" ;} | ||
h2() { printf "\n${underline}${bold}${white}%s${reset}\n" "$@" ;} | ||
debug() { printf "${white}%s${reset}\n" "$@" ;} | ||
info() { printf "${white}➜ %s${reset}\n" "$@" ;} | ||
success() { printf "${green}✔ %s${reset}\n" "$@" ;} | ||
error() { printf "${red}✖ %s${reset}\n" "$@" ;} | ||
warn() { printf "${tan}➜ %s${reset}\n" "$@" ;} | ||
bold() { printf "${bold}%s${reset}\n" "$@" ;} | ||
note() { printf "\n${underline}${bold}${blue}Note:${reset} ${blue}%s${reset}\n" "$@" ;} | ||
|
||
#----------------------------------------------------------------------------------------- | ||
# Functions | ||
#----------------------------------------------------------------------------------------- | ||
function usage { | ||
info "Syntax: build-locally.sh [OPTIONS]" | ||
cat << EOF | ||
Options are: | ||
-h | --help - See this help. | ||
Environment variables | ||
None | ||
EOF | ||
} | ||
|
||
function check_exit_code () { | ||
# This function takes 2 parameters in the form: | ||
# $1 an integer value of the returned exit code | ||
# $2 an error message to display if $1 is not equal to 0 | ||
if [[ "$1" != "0" ]]; then | ||
error "$2" | ||
exit 1 | ||
fi | ||
} | ||
|
||
function check_secrets { | ||
h2 "updating secrets baseline" | ||
cd ${BASEDIR} | ||
detect-secrets scan --update .secrets.baseline | ||
rc=$? | ||
check_exit_code $rc "Failed to run detect-secrets. Please check it is installed properly" | ||
success "updated secrets file" | ||
|
||
h2 "running audit for secrets" | ||
detect-secrets audit .secrets.baseline | ||
rc=$? | ||
check_exit_code $rc "Failed to audit detect-secrets." | ||
|
||
#Check all secrets have been audited | ||
secrets=$(grep -c hashed_secret .secrets.baseline) | ||
audits=$(grep -c is_secret .secrets.baseline) | ||
if [[ "$secrets" != "$audits" ]]; then | ||
error "Not all secrets found have been audited" | ||
exit 1 | ||
fi | ||
success "secrets audit complete" | ||
|
||
h2 "Removing the timestamp from the secrets baseline file so it doesn't always cause a git change." | ||
mkdir -p temp | ||
rc=$? | ||
check_exit_code $rc "Failed to create a temporary folder" | ||
cat .secrets.baseline | grep -v "generated_at" > temp/.secrets.baseline.temp | ||
rc=$? | ||
check_exit_code $rc "Failed to create a temporary file with no timestamp inside" | ||
mv temp/.secrets.baseline.temp .secrets.baseline | ||
rc=$? | ||
check_exit_code $rc "Failed to overwrite the secrets baseline with one containing no timestamp inside." | ||
success "secrets baseline timestamp content has been removed ok" | ||
} | ||
|
||
#----------------------------------------------------------------------------------------- | ||
# Process parameters | ||
#----------------------------------------------------------------------------------------- | ||
build_type="" | ||
|
||
gpg_passphrase="" | ||
|
||
while [ "$1" != "" ]; do | ||
case $1 in | ||
-h | --help ) usage | ||
exit | ||
;; | ||
* ) error "Unexpected argument $1" | ||
usage | ||
exit 1 | ||
esac | ||
shift | ||
done | ||
|
||
|
||
#----------------------------------------------------------------------------------------- | ||
# Main logic. | ||
#----------------------------------------------------------------------------------------- | ||
|
||
source_dir="." | ||
|
||
check_secrets | ||
|
||
success "Project ${project} built - OK - log is at ${log_file}" |