Merge branch 'main' into feature/engagement/apham/16852

.github/actions/runleaks/.gitignore

@@ -0,0 +1,4 @@
+.git
+_git
+.github
+_github

.github/actions/runleaks/Dockerfile

@@ -0,0 +1,8 @@
+FROM cgr.dev/chainguard/wolfi-base:latest
+RUN apk add git gh make parallel jq
+
+COPY git-secrets /git-secrets
+RUN make -C /git-secrets install
+COPY lib/* /
+
+ENTRYPOINT ["bash", "/scan.sh"]

.github/actions/runleaks/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 Josiah Siegel
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

.github/actions/runleaks/README.md

@@ -0,0 +1,163 @@
+# runleaks
+
+[![Scan Action Logs](https://github.com/CDCgov/prime-reportstream/.github/workflows/runleaks--main.yml/badge.svg?branch=main)](https://github.com/CDCgov/prime-reportstream/.github/workflows/runleaks--main.yml)
+
+Leverages [git-secrets](https://github.com/awslabs/git-secrets) to identify potential leaks in GitHub action run logs.
+
+ * Common Azure and Google Cloud patterns are available, thanks to fork [msalemcode/git-secrets](https://github.com/msalemcode/git-secrets).
+
+
+## Inputs
+```yml
+  github-token:
+    description: 'Token used to login to GitHub'
+    required: true
+  repo:
+    description: 'Repo to scan run logs for exceptions'
+    required: false
+    default: ${{ github.repository }}
+  run-limit:
+    description: 'Limit on how many runs to scan'
+    required: false
+    default: '50'
+  min-days-old:
+    description: 'Min age of runs in days'
+    required: false
+    default: '0'
+  max-days-old:
+    description: 'Max age of runs in days'
+    required: false
+    default: '3'
+  patterns-path:
+    description: 'Patterns file path'
+    required: false
+    default: ".runleaks/patterns.txt"
+  exclusions-path:
+    description: 'Excluded patterns file path'
+    required: false
+    default: ".runleaks/exclusions.txt"
+  fail-on-leak:
+    description: 'Fail action if leak is found'
+    required: false
+    default: true
+```
+
+## Outputs
+```yml
+  exceptions:
+    description: 'Json output of run logs with exceptions'
+  count:
+    description: 'Count of exceptions'
+```
+
+## Usage
+ * Note: [GitHub rate limits](#rate-limits)
+```yml
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Scan run logs
+        uses: josiahsiegel/runleaks@4dd30d107c03b6ade87978e10c94a77015e488f9
+        id: scan
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-limit: 500
+          fail-on-leak: false
+      - name: Get scan exceptions
+        if: steps.scan.outputs.count > 0
+        run: echo "${{ steps.scan.outputs.exceptions }}"
+```
+or
+```yml
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Scan run logs
+        uses: josiahsiegel/runleaks@4dd30d107c03b6ade87978e10c94a77015e488f9
+        id: scan
+        with:
+          github-token: ${{ secrets.MY_TOKEN }}
+          patterns-path: ".github/patterns.txt"
+          exclusions-path: ".github/exclusions.txt"
+          fail-on-leak: false
+      - name: Get scan exceptions
+        if: steps.scan.outputs.count > 0
+        run: echo "${{ steps.scan.outputs.exceptions }}"
+```
+or
+```yml
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          repository: 'me/my-repo'
+      - name: Scan run logs
+        uses: josiahsiegel/runleaks@4dd30d107c03b6ade87978e10c94a77015e488f9
+        id: scan
+        with:
+          github-token: ${{ secrets.MY_TOKEN }}
+          repo: 'me/my-repo'
+          run-limit: 200
+          min-days-old: 0
+          max-days-old: 4
+          fail-on-leak: true
+```
+
+## Local testing
+  * Registers default patterns
+```sh
+git clone https://github.com/CDCgov/prime-reportstream/.github/actions/runleaks.git
+cd runleaks/
+docker build -t runleaks .
+docker run scan "<PERSONAL_ACCESS_TOKEN>" "<REPO>" <RUN_LIMIT> <MIN_DAYS_OLD> <MAX_DAYS_OLD>
+```
+
+## Pattern file
+ * Default location: `.runleaks/patterns.txt`
+
+```
+####################################################################
+
+# Register a secret provider
+#--register-azure
+#--register-gcp
+--register-aws
+
+####################################################################
+
+# Add a prohibited pattern
+--add [A-Z0-9]{20}
+--add Account[k|K]ey
+--add Shared[a|A]ccessSignature
+
+####################################################################
+
+# Add a string that is scanned for literally (+ is escaped):
+--add --literal foo+bar
+
+####################################################################
+```
+
+## Exclusion file
+ * Default location: `.runleaks/exclusions.txt`
+```
+####################################################################
+
+# Add regular expressions patterns to filter false positives.
+
+# Allow GUID
+("|')[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}("|')
+
+####################################################################
+```
+
+## Performance
+
+ * Scan 50 runs = 1 min
+
+ * Scan 500 runs = 8 mins
+
+* Scan 3000 runs = 50 mins
+
+## Rate limits
+
+Built-in secret `GITHUB_TOKEN` is [limited to 1,000 requests per hour per repository](https://docs.github.com/en/rest/overview/resources-in-the-rest-api#requests-from-github-actions).
+
+To avoid repo-wide rate limiting, personal access tokens can be added to secrets, which are [limited to 5,000 requests per hour and per authenticated user](https://docs.github.com/en/rest/overview/resources-in-the-rest-api#requests-from-personal-accounts).

.github/actions/runleaks/action.yml

@@ -0,0 +1,55 @@
+# action.yml
+name: 'runleaks'
+description: 'Identify potential leaks in GitHub action logs'
+branding:
+  icon: 'search'  
+  color: 'red'
+inputs:
+  github-token:
+    description: 'Token used to login to GitHub'
+    required: true
+  repo:
+    description: 'Repo to scan run logs for exceptions'
+    required: false
+    default: ${{ github.repository }}
+  run-limit:
+    description: 'Limit on how many runs to scan'
+    required: false
+    default: '100'
+  min-days-old:
+    description: 'Min age of runs in days'
+    required: false
+    default: '0'
+  max-days-old:
+    description: 'Max age of runs in days'
+    required: false
+    default: '3'
+  patterns-path:
+    description: 'Patterns file path'
+    required: false
+    default: ".github/runleaks/patterns.txt"
+  exclusions-path:
+    description: 'Excluded patterns file path'
+    required: false
+    default: ".github/runleaks/exclusions.txt"
+  fail-on-leak:
+    description: 'Fail action if leak is found'
+    required: false
+    default: true
+outputs:
+  exceptions:
+    description: 'Json output of run logs with exceptions'
+  count:
+    description: 'Count of exceptions'
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
+  args:
+    - ${{ inputs.github-token }}
+    - ${{ inputs.repo }}
+    - ${{ inputs.run-limit }}
+    - ${{ inputs.min-days-old }}
+    - ${{ inputs.max-days-old }}
+    - ${{ inputs.patterns-path }}
+    - ${{ inputs.exclusions-path }}
+    - ${{ inputs.fail-on-leak }}

.github/actions/runleaks/git-secrets/.pre-commit-hooks.yaml

@@ -0,0 +1,5 @@
+-   id: git-secrets
+    name: Git Secrets
+    description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories.
+    entry: 'git-secrets --pre_commit_hook'
+    language: script

.github/actions/runleaks/git-secrets/CHANGELOG.md

@@ -0,0 +1,49 @@
+# CHANGELOG
+
+## 1.3.0 - 2019-02-10
+
+* Empty provider output is now excluded
+  (https://github.com/awslabs/git-secrets/issues/34)
+* Spaces are now supported in git exec path, making more Windows
+  paths execute properly.
+* Patterns with newlines and carriage returns are now loaded properly.
+* Patterns that contain only "\n" are now ignored.
+* Various Bash 4 fixes (https://github.com/awslabs/git-secrets/issues/66).
+* Make IAM key scanning much more targeted.
+
+## 1.2.1 - 2016-06-27
+
+* Fixed an issue where secret provider commands were causing "command not
+  found" errors due to a previously set IFS variable.
+  https://github.com/awslabs/git-secrets/pull/30
+
+## 1.2.0 - 2016-05-23
+
+* Fixed an issue where spaces files with spaces in their names were not being
+  properly scanned in the pre-commit hook.
+* Now ignoring empty lines and comments (e.g., `#`) in the .gitallowed file.
+* Fixed an issue where numbers were being compared to strings causing failures
+  on some platforms.
+
+## 1.1.0 - 2016-04-06
+
+* Bug fix: the pre-commit hook previously only scanned the working directory
+  rather than staged files. This release updates the pre-commit hook to instead
+  scan staged files so that git-secrets will detect violations if the working
+  directory drifts from the staging directory.
+* Added the `--scan-history` subcommand so that you can scan your entire
+  git history for violations.
+* Added the ability to filter false positives by using a .gitallowed file.
+* Added support for `--cached`, `--no-index`, and `--untracked` to the `--scan`
+  subcommand.
+
+## 1.0.1 - 2016-01-11
+
+* Now works correctly with filenames in a repository that contain spaces when
+  executing `git secrets --scan` with no provided filename (via `git grep`).
+* Now works with git repositories with hundreds of thousands of files when
+  using `git secrets --scan` with no provided filename (via `git grep`).
+
+## 1.0.0 - 2015-12-10
+
+* Initial release of ``git-secrets``.

.github/actions/runleaks/git-secrets/CODE_OF_CONDUCT.md

@@ -0,0 +1,4 @@
+## Code of Conduct
+This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 
+For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 
+[email protected] with any additional questions or comments.

.github/actions/runleaks/git-secrets/CONTRIBUTING.md

@@ -0,0 +1,61 @@
+# Contributing Guidelines
+
+Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 
+documentation, we greatly value feedback and contributions from our community.
+
+Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 
+information to effectively respond to your bug report or contribution.
+
+
+## Reporting Bugs/Feature Requests
+
+We welcome you to use the GitHub issue tracker to report bugs or suggest features.
+
+When filing an issue, please check [existing open](https://github.com/awslabs/git-secrets/issues), or [recently closed](https://github.com/awslabs/git-secrets/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aclosed%20), issues to make sure somebody else hasn't already 
+reported the issue. Please try to include as much information as you can. Details like these are incredibly useful:
+
+* A reproducible test case or series of steps
+* The version of our code being used
+* Any modifications you've made relevant to the bug
+* Anything unusual about your environment or deployment
+
+
+## Contributing via Pull Requests
+Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that:
+
+1. You are working against the latest source on the *master* branch.
+2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already.
+3. You open an issue to discuss any significant work - we would hate for your time to be wasted.
+
+To send us a pull request, please:
+
+1. Fork the repository.
+2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change.
+3. Ensure local tests pass.
+4. Commit to your fork using clear commit messages.
+5. Send us a pull request, answering any default questions in the pull request interface.
+6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation.
+
+GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 
+[creating a pull request](https://help.github.com/articles/creating-a-pull-request/).
+
+
+## Finding contributions to work on
+Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels ((enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any ['help wanted'](https://github.com/awslabs/git-secrets/labels/help%20wanted) issues is a great place to start. 
+
+
+## Code of Conduct
+This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 
+For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 
+[email protected] with any additional questions or comments.
+
+
+## Security issue notifications
+If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue.
+
+
+## Licensing
+
+See the [LICENSE](https://github.com/awslabs/git-secrets/blob/master/LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution.
+
+We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes.