Skip to content

Commit

Permalink
Merge pull request #770 from NASA-PDS/software-issues-repo#55
Browse files Browse the repository at this point in the history 
Add secrets detection
  • Loading branch information
@jordanpadams
jordanpadams authored Nov 30, 2023
2 parents b11f89f + 2c2e31a commit 564aef9
Show file tree
Hide file tree
Showing 3 changed files with 459 additions and 1 deletion.
70 changes: 70 additions & 0 deletions .github/workflows/secrets-detection.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
name: Secret Detection Workflow
on:
push:
branches:
- main
pull_request:
branches:
- main

jobs:
secret-detection:
runs-on: ubuntu-latest
steps:
-
name: Checkout code
uses: actions/checkout@v4
-
name: Install necessary packages
run: |
pip install git+https://github.com/NASA-AMMOS/slim-detect-secrets.git@exp
pip install jq
-
name: Create an initial .secrets.baseline if .secrets.baseline does not exist
run: |
if [ ! -f .secrets.baseline ]; then
# This generated baseline file will only be temporarily available on the GitHub side and will not appear in the user's local files.
# Scanning an empty folder to generate an initial .secrets.baseline without secrets in the results.
echo "⚠️ No existing .secrets.baseline file detected. Creating a new blank baseline file."
mkdir empty-dir
detect-secrets scan empty-dir > .secrets.baseline
echo "✅ Blank .secrets.baseline file created successfully."
rm -r empty-dir
else
echo "✅ Existing .secrets.baseline file detected. No new baseline file will be created."
fi
-
name: Scan repository for secrets
run: |
# scripts to scan repository for new secrets
# backup the list of known secrets
cp .secrets.baseline .secrets.new
# find the secrets in the repository
detect-secrets scan --disable-plugin AbsolutePathDetectorExperimental --baseline .secrets.new \
--exclude-files '\.secrets..*' \
--exclude-files '\.pre-commit-config\.yaml' \
--exclude-files '\.git.*' \
--exclude-files 'target'
# if there is any difference between the known and newly detected secrets, break the build
# Function to compare secrets without listing them
compare_secrets() { diff <(jq -r '.results | keys[] as $key | "\($key),\(.[$key] | .[] | .hashed_secret)"' "$1" | sort) <(jq -r '.results | keys[] as $key | "\($key),\(.[$key] | .[] | .hashed_secret)"' "$2" | sort) >/dev/null; }
# Check if there's any difference between the known and newly detected secrets
if ! compare_secrets .secrets.baseline .secrets.new; then
echo "⚠️ Attention Required! ⚠️" >&2
echo "New secrets have been detected in your recent commit. Due to security concerns, we cannot display detailed information here and we cannot proceed until this issue is resolved." >&2
echo "" >&2
echo "Please follow the steps below on your local machine to reveal and handle the secrets:" >&2
echo "" >&2
echo "1️⃣ Run the 'detect-secrets' tool on your local machine. This tool will identify and clean up the secrets. You can find detailed instructions at this link: https://nasa-ammos.github.io/slim/continuous-testing/starter-kits/#detect-secrets" >&2
echo "" >&2
echo "2️⃣ After cleaning up the secrets, commit your changes and re-push your update to the repository." >&2
echo "" >&2
echo "Your efforts to maintain the security of our codebase are greatly appreciated!" >&2
exit 1
fi
14 changes: 13 additions & 1 deletion .pre-commit-config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,16 @@ repos:
hooks:
- id: pretty-format-java
args: [--autofix]
files: .*\.java$
files: .*\.java$
- repo: https://github.com/NASA-AMMOS/slim-detect-secrets
# using commit id for now, will change to tag when official version is released
rev: 91e097ad4559ae6ab785c883dc5ed989202c7fbe
hooks:
- id: detect-secrets
args:
- '--baseline'
- '.secrets.baseline'
- --exclude-files '\.secrets..*'
- --exclude-files '\.git.*'
- --exclude-files '\.pre-commit-config\.yaml'
- --exclude-files 'target'
Loading

0 comments on commit 564aef9

Please sign in to comment.