From ff171053af8d66b6073ab3dc0ac16b6a478ade5f Mon Sep 17 00:00:00 2001 From: IngyHere Date: Thu, 14 Mar 2024 19:21:12 -0700 Subject: [PATCH] NASA-AMMOS/slim#89: Functional GitHub Actions-based secrets detection. ... --- .github/workflows/secrets-detection.yml | 97 +++++++++++++++++++++++++ .gitignore | 1 + .secrets.baseline | 15 ++++ 3 files changed, 113 insertions(+) create mode 100644 .github/workflows/secrets-detection.yml create mode 100644 .secrets.baseline diff --git a/.github/workflows/secrets-detection.yml b/.github/workflows/secrets-detection.yml new file mode 100644 index 0000000..e49eb40 --- /dev/null +++ b/.github/workflows/secrets-detection.yml @@ -0,0 +1,97 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to exclude files from analyses. (See "Scan" +# configuration block below.) +# +# For more information, see: +# https://nasa-ammos.github.io/slim/docs/guides/software-lifecycle/security/secrets-detection +# +# ******** NOTE ******** +# Detect Secrets will compare known values from the ".secrets.baseline" file +# located in the root of the repository. Should any false detections occur, +# this file should be committed locally with an exception added to .gitignore +# to prevent inadvertent modification or overwrite. +# +name: "Secret Detection" +on: + push: + branches: [main, develop] + pull_request: + # The branches below must be a subset of the branches above + branches: [develop] + +jobs: + secret-detection: + name: Secret-Detection + runs-on: ubuntu-latest + permissions: + actions: write + contents: read + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Upgrade tooling + run: | + python3 -m pip install --upgrade pip + pip install --upgrade git+https://github.com/NASA-AMMOS/slim-detect-secrets.git@exp + pip install --upgrade jq + - name: Create baseline config + run: | + if [ ! -f .secrets.baseline ] ; + then + # This generated baseline file will only be temporarily available on the GitHub side and will not appear in the user's local files. + # Scanning an empty folder to generate an initial .secrets.baseline without secrets in the results. + echo "⚠️ No existing .secrets.baseline file detected. Creating a new blank baseline file." + mkdir empty-dir + detect-secrets scan empty-dir > .secrets.baseline + echo "✅ Blank .secrets.baseline file created successfully." + rm -r empty-dir + else + echo "✅ Existing .secrets.baseline file detected. No new baseline file will be created." + fi + - name: Scan + run: | + # scripts scan repository for new secrets + # backup list of known secrets + cp -pr .secrets.baseline .secrets.new + # find secrets in the repository + detect-secrets scan --disable-plugin AbsolutePathDetectorExperimental --baseline .secrets.new \ + --exclude-files '\.secrets..*' \ + --exclude-files '\.git.*' \ + --exclude-files '\.mypy_cache' \ + --exclude-files '\.pytest_cache' \ + --exclude-files '\.tox' \ + --exclude-files '\.venv' \ + --exclude-files 'venv' \ + --exclude-files 'dist' \ + --exclude-files 'build' \ + --exclude-files '.*\.egg-info' + # break build when new secrets discovered + # function compares baseline/new secrets w/o listing results -- success(0) when new secret found + compare_secrets() { diff <(jq -r '.results | keys[] as $key | "\($key),\(.[$key] | .[] | .hashed_secret)"' "${1}" | sort) <(jq -r '.results | keys[] as $key | "\($key),\(.[$key] | .[] | .hashed_secret)"' "${2}" | sort) | grep -q '>' ; } + # test baseline versus new secret files + if compare_secrets .secrets.baseline .secrets.new; + then + echo "⚠️ Attention Required! ⚠️" >&2 + echo "New secrets have been detected in your recent commit. Due to security concerns, we cannot display detailed information here and we cannot proceed until this issue is resolved." >&2 + echo "" >&2 + echo "Please follow the steps below on your local machine to reveal and handle the secrets:" >&2 + echo "" >&2 + echo "1️⃣ Run the 'detect-secrets' tool on your local machine. This tool will identify and clean up the secrets. You can find detailed instructions at this link: https://nasa-ammos.github.io/slim/continuous-testing/starter-kits/#detect-secrets" >&2 + echo "" >&2 + echo "2️⃣ After cleaning up the secrets, commit your changes and re-push your update to the repository." >&2 + echo "" >&2 + echo "Your efforts to maintain the security of our codebase are greatly appreciated!" >&2 + exit 1 + else + echo "🟢 Secrets tests PASSED! 🟢" >&1 + echo "No new secrets were detected in comparison to any baseline configurations." >&1 + exit 0 + fi diff --git a/.gitignore b/.gitignore index 72edd65..80dca73 100644 --- a/.gitignore +++ b/.gitignore @@ -51,6 +51,7 @@ coverage.xml *.py,cover .hypothesis/ .pytest_cache/ +.secrets* # Translations *.mo diff --git a/.secrets.baseline b/.secrets.baseline new file mode 100644 index 0000000..af285a6 --- /dev/null +++ b/.secrets.baseline @@ -0,0 +1,15 @@ +{ + "version": "1.4.0", + "results": { + "setup.cfg": [ + { + "type": "Email Address", + "filename": "setup.cfg", + "hashed_secret": "3d5f1cb1412e27257b118b0fbf9dcccf390be6cb", + "is_verified": false, + "line_number": 31 + } + ] + }, + "generated_at": "2024-03-14T20:03:34Z" +}