Skip to content

Commit

Permalink
detect secrets should be used in this project. Setting a baseline
Browse files Browse the repository at this point in the history
Signed-off-by: Mike Cobbett <77053+techcobweb@users.noreply.github.com>
  • Loading branch information
techcobweb committed Oct 16, 2024
1 parent b933bde commit 4efa710
Show file tree
Hide file tree
Showing 2 changed files with 353 additions and 0 deletions.
211 changes: 211 additions & 0 deletions .secrets.baseline
Original file line number Diff line number Diff line change
@@ -0,0 +1,211 @@
{
"exclude": {
"files": "^.secrets.baseline$",
"lines": null
},
"plugins_used": [
{
"name": "AWSKeyDetector"
},
{
"name": "ArtifactoryDetector"
},
{
"name": "AzureStorageKeyDetector"
},
{
"base64_limit": 4.5,
"name": "Base64HighEntropyString"
},
{
"name": "BasicAuthDetector"
},
{
"name": "BoxDetector"
},
{
"name": "CloudantDetector"
},
{
"ghe_instance": "github.ibm.com",
"name": "GheDetector"
},
{
"name": "GitHubTokenDetector"
},
{
"hex_limit": 3,
"name": "HexHighEntropyString"
},
{
"name": "IbmCloudIamDetector"
},
{
"name": "IbmCosHmacDetector"
},
{
"name": "JwtTokenDetector"
},
{
"keyword_exclude": null,
"name": "KeywordDetector"
},
{
"name": "MailchimpDetector"
},
{
"name": "NpmDetector"
},
{
"name": "PrivateKeyDetector"
},
{
"name": "SlackDetector"
},
{
"name": "SoftlayerDetector"
},
{
"name": "SquareOAuthDetector"
},
{
"name": "StripeDetector"
},
{
"name": "TwilioKeyDetector"
}
],
"results": {
"Casks/g/galasactl.rb": [
{
"hashed_secret": "83284a5406883b67766b7e94d345f9409942d84a",
"is_secret": false,
"is_verified": false,
"line_number": 6,
"type": "Hex High Entropy String",
"verified_result": null
},
{
"hashed_secret": "e69e8ff55c406ec90a7f38843b96497c07069e44",
"is_secret": false,
"is_verified": false,
"line_number": 7,
"type": "Hex High Entropy String",
"verified_result": null
}
],
"Casks/g/galasactl@0.33.0.rb": [
{
"hashed_secret": "bb1bfaa5682b608179d35c219b2727d09b4ca4ea",
"is_secret": false,
"is_verified": false,
"line_number": 6,
"type": "Hex High Entropy String",
"verified_result": null
},
{
"hashed_secret": "0639df56ffc1bb86d8fce8e579a147203b62b804",
"is_secret": false,
"is_verified": false,
"line_number": 7,
"type": "Hex High Entropy String",
"verified_result": null
}
],
"Casks/g/galasactl@0.34.0.rb": [
{
"hashed_secret": "c1ad569592ebca9f749c7b28775f62e8711b8cbf",
"is_secret": false,
"is_verified": false,
"line_number": 6,
"type": "Hex High Entropy String",
"verified_result": null
},
{
"hashed_secret": "e6f334ca38a65ff8e24412141019e835e2e7907a",
"is_secret": false,
"is_verified": false,
"line_number": 7,
"type": "Hex High Entropy String",
"verified_result": null
}
],
"Casks/g/galasactl@0.34.1.rb": [
{
"hashed_secret": "aacb017e1e456863d366c0f5e3995b00692d3d32",
"is_secret": false,
"is_verified": false,
"line_number": 6,
"type": "Hex High Entropy String",
"verified_result": null
},
{
"hashed_secret": "efc35e0c31d1c41304b2707db78e518f1130bbc4",
"is_secret": false,
"is_verified": false,
"line_number": 7,
"type": "Hex High Entropy String",
"verified_result": null
}
],
"Casks/g/galasactl@0.35.0.rb": [
{
"hashed_secret": "8925b8501ad17d10e2603a43947c312b8f9f1ecc",
"is_secret": false,
"is_verified": false,
"line_number": 6,
"type": "Hex High Entropy String",
"verified_result": null
},
{
"hashed_secret": "b1f341eeec92753e61fc917fc94ac540e160bb9b",
"is_secret": false,
"is_verified": false,
"line_number": 7,
"type": "Hex High Entropy String",
"verified_result": null
}
],
"Casks/g/galasactl@0.36.0.rb": [
{
"hashed_secret": "5205f4320207b08a0e307bb971f8337180d6edcf",
"is_secret": false,
"is_verified": false,
"line_number": 6,
"type": "Hex High Entropy String",
"verified_result": null
},
{
"hashed_secret": "8906b45a0afff04142bb4e9eddc71e5d281faa5c",
"is_secret": false,
"is_verified": false,
"line_number": 7,
"type": "Hex High Entropy String",
"verified_result": null
}
],
"Casks/g/galasactl@0.37.0.rb": [
{
"hashed_secret": "83284a5406883b67766b7e94d345f9409942d84a",
"is_secret": false,
"is_verified": false,
"line_number": 6,
"type": "Hex High Entropy String",
"verified_result": null
},
{
"hashed_secret": "e69e8ff55c406ec90a7f38843b96497c07069e44",
"is_secret": false,
"is_verified": false,
"line_number": 7,
"type": "Hex High Entropy String",
"verified_result": null
}
]
},
"version": "0.13.1+ibm.62.dss",
"word_list": {
"file": null,
"hash": null
}
}
142 changes: 142 additions & 0 deletions build-locally.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,142 @@
#! /usr/bin/env bash

#
# Copyright contributors to the Galasa project
#
# SPDX-License-Identifier: EPL-2.0
#
#-----------------------------------------------------------------------------------------
#
# Objectives: Build this repository code locally.
#
#-----------------------------------------------------------------------------------------

# Where is this script executing from ?
BASEDIR=$(dirname "$0");pushd $BASEDIR 2>&1 >> /dev/null ;BASEDIR=$(pwd);popd 2>&1 >> /dev/null

Check failure on line 15 in build-locally.sh

View workflow job for this annotation

GitHub Actions / test-bot (ubuntu-22.04)

Use 'pushd ... || exit' or 'pushd ... || return' in case pushd fails.

Check failure on line 15 in build-locally.sh

View workflow job for this annotation

GitHub Actions / test-bot (ubuntu-22.04)

Double quote to prevent globbing and word splitting.

Check failure on line 15 in build-locally.sh

View workflow job for this annotation

GitHub Actions / test-bot (ubuntu-22.04)

Prefer putting braces around variable references even when not strictly required.

Check failure on line 15 in build-locally.sh

View workflow job for this annotation

GitHub Actions / test-bot (ubuntu-22.04)

To redirect stdout+stderr, 2>&1 must be last (or use '{ cmd > file; } 2>&1' to clarify).

Check failure on line 15 in build-locally.sh

View workflow job for this annotation

GitHub Actions / test-bot (ubuntu-22.04)

Use 'popd ... || exit' or 'popd ... || return' in case popd fails.

Check failure on line 15 in build-locally.sh

View workflow job for this annotation

GitHub Actions / test-bot (ubuntu-22.04)

To redirect stdout+stderr, 2>&1 must be last (or use '{ cmd > file; } 2>&1' to clarify).
# echo "Running from directory ${BASEDIR}"
export ORIGINAL_DIR=$(pwd)

Check failure on line 17 in build-locally.sh

View workflow job for this annotation

GitHub Actions / test-bot (ubuntu-22.04)

Declare and assign separately to avoid masking return values.
# cd "${BASEDIR}"

cd "${BASEDIR}/.."
WORKSPACE_DIR=$(pwd)
cd $BASEDIR


#-----------------------------------------------------------------------------------------
#
# Set Colors
#
#-----------------------------------------------------------------------------------------
bold=$(tput bold)
underline=$(tput sgr 0 1)
reset=$(tput sgr0)
red=$(tput setaf 1)
green=$(tput setaf 76)
white=$(tput setaf 7)
tan=$(tput setaf 202)
blue=$(tput setaf 25)

#-----------------------------------------------------------------------------------------
#
# Headers and Logging
#
#-----------------------------------------------------------------------------------------
underline() { printf "${underline}${bold}%s${reset}\n" "$@" ;}
h1() { printf "\n${underline}${bold}${blue}%s${reset}\n" "$@" ;}
h2() { printf "\n${underline}${bold}${white}%s${reset}\n" "$@" ;}
debug() { printf "${white}%s${reset}\n" "$@" ;}
info() { printf "${white}➜ %s${reset}\n" "$@" ;}
success() { printf "${green}✔ %s${reset}\n" "$@" ;}
error() { printf "${red}✖ %s${reset}\n" "$@" ;}
warn() { printf "${tan}➜ %s${reset}\n" "$@" ;}
bold() { printf "${bold}%s${reset}\n" "$@" ;}
note() { printf "\n${underline}${bold}${blue}Note:${reset} ${blue}%s${reset}\n" "$@" ;}

#-----------------------------------------------------------------------------------------
# Functions
#-----------------------------------------------------------------------------------------
function usage {
info "Syntax: build-locally.sh [OPTIONS]"
cat << EOF
Options are:
-h | --help - See this help.
Environment variables
None
EOF
}

function check_exit_code () {
# This function takes 2 parameters in the form:
# $1 an integer value of the returned exit code
# $2 an error message to display if $1 is not equal to 0
if [[ "$1" != "0" ]]; then
error "$2"
exit 1
fi
}

function check_secrets {
h2 "updating secrets baseline"
cd ${BASEDIR}
detect-secrets scan --update .secrets.baseline
rc=$?
check_exit_code $rc "Failed to run detect-secrets. Please check it is installed properly"
success "updated secrets file"

h2 "running audit for secrets"
detect-secrets audit .secrets.baseline
rc=$?
check_exit_code $rc "Failed to audit detect-secrets."

#Check all secrets have been audited
secrets=$(grep -c hashed_secret .secrets.baseline)
audits=$(grep -c is_secret .secrets.baseline)
if [[ "$secrets" != "$audits" ]]; then
error "Not all secrets found have been audited"
exit 1
fi
success "secrets audit complete"

h2 "Removing the timestamp from the secrets baseline file so it doesn't always cause a git change."
mkdir -p temp
rc=$?
check_exit_code $rc "Failed to create a temporary folder"
cat .secrets.baseline | grep -v "generated_at" > temp/.secrets.baseline.temp
rc=$?
check_exit_code $rc "Failed to create a temporary file with no timestamp inside"
mv temp/.secrets.baseline.temp .secrets.baseline
rc=$?
check_exit_code $rc "Failed to overwrite the secrets baseline with one containing no timestamp inside."
success "secrets baseline timestamp content has been removed ok"
}

#-----------------------------------------------------------------------------------------
# Process parameters
#-----------------------------------------------------------------------------------------
build_type=""

gpg_passphrase=""

while [ "$1" != "" ]; do
case $1 in
-h | --help ) usage
exit
;;
* ) error "Unexpected argument $1"
usage
exit 1
esac
shift
done


#-----------------------------------------------------------------------------------------
# Main logic.
#-----------------------------------------------------------------------------------------

source_dir="."

check_secrets

success "Project ${project} built - OK - log is at ${log_file}"

0 comments on commit 4efa710

Please sign in to comment.