added .pre-commit-config.yaml file to trigger detect-secrets

Signed-off-by: Savvas Kyriacou <[email protected]>
galasa-dev · Jun 5, 2024 · de2d8ac · de2d8ac
1 parent cad4988
commit de2d8ac
Show file tree

Hide file tree

Showing 6 changed files with 135 additions and 12 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,6 @@
+repos:
+  - repo: https://github.com/ibm/detect-secrets
+    rev: 0.13.1+ibm.62.dss
+    hooks:
+      - id: detect-secrets # pragma: whitelist secret
+        args: [--baseline, .secrets.baseline, --use-all-plugins, --fail-on-unaudited]
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -0,0 +1,85 @@
+{
+  "exclude": {
+    "files": "go.sum|openapi2beans/go.sum|^.secrets.baseline$",
+    "lines": null
+  },
+  "generated_at": "2024-06-05T10:43:22Z",
+  "plugins_used": [
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "base64_limit": 4.5,
+      "name": "Base64HighEntropyString"
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "BoxDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "ghe_instance": "github.ibm.com",
+      "name": "GheDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "hex_limit": 3,
+      "name": "HexHighEntropyString"
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "keyword_exclude": null,
+      "name": "KeywordDetector"
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "results": {},
+  "version": "0.13.1+ibm.62.dss",
+  "word_list": {
+    "file": null,
+    "hash": null
+  }
+}
diff --git a/build-locally.sh b/build-locally.sh
@@ -79,6 +79,39 @@ LOGS_DIR :
 EOF
 }
 
+function check_exit_code () {
+    # This function takes 2 parameters in the form:
+    # $1 an integer value of the returned exit code
+    # $2 an error message to display if $1 is not equal to 0
+    if [[ "$1" != "0" ]]; then 
+        error "$2" 
+        exit 1  
+    fi
+}
+
+function check_secrets {
+    h2 "updating secrets baseline"
+    cd ${BASEDIR}
+    detect-secrets scan --exclude-files "go.sum|openapi2beans/go.sum" --update .secrets.baseline
+    rc=$? 
+    check_exit_code $rc "Failed to run detect-secrets. Please check it is installed properly" 
+    success "updated secrets file"
+
+    h2 "running audit for secrets"
+    detect-secrets audit .secrets.baseline
+    rc=$? 
+    check_exit_code $rc "Failed to audit detect-secrets."
+
+    #Check all secrets have been audited
+    secrets=$(grep -c hashed_secret .secrets.baseline)
+    audits=$(grep -c is_secret .secrets.baseline)
+    if [[ "$secrets" != "$audits" ]]; then 
+        error "Not all secrets found have been audited"
+        exit 1  
+    fi
+    success "secrets audit complete"
+}
+
 #-----------------------------------------------------------------------------------------                   
 # Process parameters
 #-----------------------------------------------------------------------------------------                   
@@ -132,11 +165,10 @@ cd ${BASEDIR}
 $cmd 2>&1 >> ${log_file}
 
 rc=$? 
-if [[ "${rc}" != "0" ]]; then 
-    error "Failed to build the ${project}" 
-    exit 1 
-fi
+check_exit_code $rc "Failed to build the ${project}" 
 success "${project} built ok - log is at ${log_file}"
 
 h2 "Building openapi2beans."
-./openapi2beans/build-locally.sh
+./openapi2beans/build-locally.sh
+
+check_secrets
diff --git a/pkg/cmd/github.go b/pkg/cmd/github.go
@@ -80,13 +80,13 @@ func githubGetBasicAuth() (string, error) {
 		}
 
 		githubUsername = creds.Username
-		githubPassword = creds.Password
+		githubPassword = creds.Password //Not a secret but logic for a secret //pragma: allowlist secret 
 	}
 
-	auth := fmt.Sprintf("%v:%v", githubUsername, githubPassword)
+	auth := fmt.Sprintf("%v:%v", githubUsername, githubPassword) //Not a secret but logic for a secret //pragma: allowlist secret 
 	sEnc := base64.StdEncoding.EncodeToString([]byte(auth))
 
-	basicAuth := fmt.Sprintf("Basic %v", sEnc)
+	basicAuth := fmt.Sprintf("Basic %v", sEnc) //Not a secret but logic for a secret //pragma: allowlist secret 
 
 	return basicAuth, nil
 }
diff --git a/pkg/cmd/maven.go b/pkg/cmd/maven.go
@@ -79,13 +79,13 @@ func mavenGetBasicAuth() (string, error) {
 		}
 
 		mavenUsername = creds.Username
-		mavenPassword = creds.Password
+		mavenPassword = creds.Password //Not a secret but logic for a secret //pragma: allowlist secret 
 	}
 
-	auth := fmt.Sprintf("%v:%v", mavenUsername, mavenPassword)
+	auth := fmt.Sprintf("%v:%v", mavenUsername, mavenPassword) //Not a secret but logic for a secret //pragma: allowlist secret 
 	sEnc := base64.StdEncoding.EncodeToString([]byte(auth))
 
-	basicAuth := fmt.Sprintf("Basic %v", sEnc)
+	basicAuth := fmt.Sprintf("Basic %v", sEnc) //Not a secret but logic for a secret //pragma: allowlist secret 
 
 	return basicAuth, nil
 }
diff --git a/tests.yaml b/tests.yaml
@@ -15,7 +15,7 @@ tests:
     galasaecosystem.docker.version: codecov
     galasaecosystem.runtime.repository: http://development.galasa.dev/codecov/maven-repo/obr
     java.jacoco.code.coverage: "true"
-    java.jacoco.save.credentials: JACOCO
+    java.jacoco.save.credentials: JACOCO #Not a secret but a name for a credential value #pragma: allowlist secret 
     java.jacoco.save.location: https://nexus.galasa.dev/repository/jacoco/codecov/execs
     zos.dse.tag.PRIMARY.clusterid: PLEX2
     zos.dse.tag.PRIMARY.imageid: MV2D