BFD-3606: Add gitleaks configuration on pre-commit (#2420)

.github/scripts/pre-commit.sh

@@ -74,5 +74,19 @@ runShellCheckForCommitFiles() {
     exit 1
   fi
 }
+
+checkGitleaks() {
+  echo "Attempting to execute gitleaks. This may take a minute..."
+  if ! command -v gitleaks >/dev/null; then
+    echo "'gitleaks' not found. Install gitleaks before pushing your changes."
+    return 1
+  fi
+  if gitleaks protect --staged --verbose; then
+    return 0
+  else
+    return 1
+  fi
+}
 checkSecretFilesForPlainText
 runShellCheckForCommitFiles
+checkGitleaks

.gitignore

@@ -1,6 +1,7 @@
 # Ignore hidden files, except for known config files that we want to track.
 # This covers most Eclipse, VSCode, etc.  metadata, which is nice.
 .*
+!.gitleaks.toml
 !.dockerignore
 !.gitignore
 !.gitattributes

.gitleaks.toml

@@ -0,0 +1,39 @@
+title = "BFD GitLeaks Configuration"
+
+[extend]
+useDefault = true
+
+[[rules]]
+id = "mbi-detection"
+description = "Detects a potential MBI pattern based on https://www.cms.gov/medicare/new-medicare-card/understanding-the-mbi.pdf"
+regex = '''([0-9])([ACDEFGHJKMNPQRTUVWXY])([0-9]|[ACDEFGHJKMNPQRTUVWXY])([0-9])([ACDEFGHJKMNPQRTUVWXY])([0-9]|[ACDEFGHJKMNPQRTUVWXY])([0-9])([ACDEFGHJKMNPQRTUVWXY])([ACDEFGHJKMNPQRTUVWXY])([0-9])([0-9])'''
+[rules.allowlist]
+commits = [
+    '''aec486a5597d867d3a2677907dee9bfa979c9dae''', # R4PatientResourceProviderTest.java contained a poorly constructed synthetic MBI
+    '''682ab7e1b531c3852bd78d29f57f63d244615080''', # R4PatientResourceProviderTest.java contained a poorly constructed synthetic MBI
+]
+paths = [
+    '''apps/bfd-model/bfd-model-rif-samples/src/main/resources/rif-static-samples/sample-mct-update-6-beneficiaries.txt''',
+    '''apps/bfd-model/bfd-model-rif-samples/src/main/resources/rif-static-samples/sample-mct-update-7-beneficiaries.txt''',
+]
+regexTarget = "match"
+regexes = [
+  '''(1EG4TE5MK73)''', # Sample notional MBI referenced as part of https://www.cms.gov/medicare/new-medicare-card/understanding-the-mbi.pdf
+]
+
+[allowlist]
+description = '''General allow list'''
+commits = [
+    '''af39f8b2a77d0d36197601ce23972735c3bfa382''', # data-sources.tf contained a non-sensitive AWS KMS Key identifier matching a "Generaic API Key" pattern
+    '''82cbfb7eb1977caf5c19c25975ff5cd05c642fc1''', # build_bfd-platinum.json contained a non-sensitive AWS KMS Key identifier matching a "Generic API Key" pattern
+]
+paths = [
+    '''apps/bfd-pipeline/bfd-pipeline-rda-grpc/src/test/resources/FISS.ndjson''',
+    '''ops/ansible/roles/bfd-server/test/test_basic.yml''',
+    '''apps/bfd-server/dev/ssl-stores/client-unsecured-key.pem''',
+    '''apps/bfd-server/dev/ssl-stores/server.key''',
+    '''bfd-ops/ansible/roles/attach_ebs/tasks/main.yml''',
+    '''dev/ssl-stores/client-unsecured.pem''',
+    '''dev/ssl-stores/client-test-keypair.pem''',
+    '''files/client-test-keypair.pem''',
+]

apps/bfd-server/bfd-server-war/src/test/java/gov/cms/bfd/server/war/r4/providers/R4PatientResourceProviderTest.java

@@ -117,10 +117,13 @@ public class R4PatientResourceProviderTest {
           TransformerConstants.CODING_BBAPI_BENE_MBI_HASH,
           "7004708ca44c2ff45b663ef661059ac98131ccb90b4a7e53917e3af7f50c4c56");
 
-  /** US-MBI search identifier using a made-up MBI value. */
+  /**
+   * US-MBI search identifier using sample MBI value from
+   * https://www.cms.gov/medicare/new-medicare-card/understanding-the-mbi.pdf.
+   */
   private final TokenParam unhashedMbiIdentifier =
       new TokenParam(
-          TransformerConstants.CODING_BBAPI_MEDICARE_BENEFICIARY_ID_UNHASHED, "9X99XX9XX99");
+          TransformerConstants.CODING_BBAPI_MEDICARE_BENEFICIARY_ID_UNHASHED, "1EG4TE5MK73");
 
   /** A 'valid' contract id to use in tests. */
   private final TokenParam contractId = new TokenParam("2001/PTDCNTRCT10", "abcde");

apps/pom.xml

@@ -79,6 +79,7 @@
         </sonar.issue.ignore.multicriteria.e1.resourceKey>
         <micrometer.version>1.12.1</micrometer.version>
         <metrics.version>4.2.25</metrics.version>
+        <git-build-hook-maven-plugin.version>3.5.0</git-build-hook-maven-plugin.version>
         <dropwizard-metrics-newrelic.version>0.9.0</dropwizard-metrics-newrelic.version>
         <telemetry-http-okhttp.version>0.16.0</telemetry-http-okhttp.version>
         <aws-java-sdk-bom.version>2.25.70</aws-java-sdk-bom.version>
@@ -822,25 +823,6 @@
                     <artifactId>fmt-maven-plugin</artifactId>
                     <version>${fmt.maven.plugin.version}</version>
                 </plugin>
-                <plugin>
-                    <groupId>com.rudikershaw.gitbuildhook</groupId>
-                    <artifactId>git-build-hook-maven-plugin</artifactId>
-                    <version>3.4.1</version>
-                    <configuration>
-                        <installHooks>
-                            <!-- Install git hooks; this only works from the top apps directory during an install (build). -->
-                            <pre-commit>../.github/scripts/pre-commit.sh</pre-commit>
-                            <pre-push>../.github/scripts/pre-push.sh</pre-push>
-                        </installHooks>
-                    </configuration>
-                    <executions>
-                        <execution>
-                            <goals>
-                                <goal>install</goal>
-                            </goals>
-                        </execution>
-                    </executions>
-                </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-compiler-plugin</artifactId>
@@ -1031,9 +1013,25 @@
                     <rulesUri>file://${maven.multiModuleProjectDirectory}/rules.xml</rulesUri>
                 </configuration>
             </plugin>
+            <!-- Reduce noise by limiting installation to the bfd-parent, disabling inheritance to children. -->
             <plugin>
                 <groupId>com.rudikershaw.gitbuildhook</groupId>
                 <artifactId>git-build-hook-maven-plugin</artifactId>
+                <version>${git-build-hook-maven-plugin.version}</version>
+                <inherited>false</inherited>
+                <configuration>
+                    <installHooks>
+                        <pre-commit>${project.basedir}/../.github/scripts/pre-commit.sh</pre-commit>
+                        <pre-push>${project.basedir}/../.github/scripts/pre-push.sh</pre-push>
+                    </installHooks>
+                </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>install</goal>
+                        </goals>
+                    </execution>
+                </executions>
             </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>