diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..3e262ed --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,6 @@ +repos: + - repo: https://github.com/ibm/detect-secrets + rev: 0.13.1+ibm.62.dss + hooks: + - id: detect-secrets # pragma: whitelist secret + args: [--baseline, .secrets.baseline, --use-all-plugins, --fail-on-unaudited] \ No newline at end of file diff --git a/.secrets.baseline b/.secrets.baseline new file mode 100644 index 0000000..8f93a57 --- /dev/null +++ b/.secrets.baseline @@ -0,0 +1,85 @@ +{ + "exclude": { + "files": "go.sum|openapi2beans/go.sum|^.secrets.baseline$", + "lines": null + }, + "generated_at": "2024-06-05T10:43:22Z", + "plugins_used": [ + { + "name": "AWSKeyDetector" + }, + { + "name": "ArtifactoryDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "base64_limit": 4.5, + "name": "Base64HighEntropyString" + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "BoxDetector" + }, + { + "name": "CloudantDetector" + }, + { + "ghe_instance": "github.ibm.com", + "name": "GheDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "hex_limit": 3, + "name": "HexHighEntropyString" + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "keyword_exclude": null, + "name": "KeywordDetector" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "results": {}, + "version": "0.13.1+ibm.62.dss", + "word_list": { + "file": null, + "hash": null + } +} diff --git a/build-locally.sh b/build-locally.sh index 8e79e86..ca8eb62 100755 --- a/build-locally.sh +++ b/build-locally.sh @@ -79,6 +79,39 @@ LOGS_DIR : EOF } +function check_exit_code () { + # This function takes 2 parameters in the form: + # $1 an integer value of the returned exit code + # $2 an error message to display if $1 is not equal to 0 + if [[ "$1" != "0" ]]; then + error "$2" + exit 1 + fi +} + +function check_secrets { + h2 "updating secrets baseline" + cd ${BASEDIR} + detect-secrets scan --exclude-files "go.sum|openapi2beans/go.sum" --update .secrets.baseline + rc=$? + check_exit_code $rc "Failed to run detect-secrets. Please check it is installed properly" + success "updated secrets file" + + h2 "running audit for secrets" + detect-secrets audit .secrets.baseline + rc=$? + check_exit_code $rc "Failed to audit detect-secrets." + + #Check all secrets have been audited + secrets=$(grep -c hashed_secret .secrets.baseline) + audits=$(grep -c is_secret .secrets.baseline) + if [[ "$secrets" != "$audits" ]]; then + error "Not all secrets found have been audited" + exit 1 + fi + success "secrets audit complete" +} + #----------------------------------------------------------------------------------------- # Process parameters #----------------------------------------------------------------------------------------- @@ -132,11 +165,10 @@ cd ${BASEDIR} $cmd 2>&1 >> ${log_file} rc=$? -if [[ "${rc}" != "0" ]]; then - error "Failed to build the ${project}" - exit 1 -fi +check_exit_code $rc "Failed to build the ${project}" success "${project} built ok - log is at ${log_file}" h2 "Building openapi2beans." -./openapi2beans/build-locally.sh \ No newline at end of file +./openapi2beans/build-locally.sh + +check_secrets \ No newline at end of file diff --git a/pkg/cmd/github.go b/pkg/cmd/github.go index 4e8437c..6bf709c 100644 --- a/pkg/cmd/github.go +++ b/pkg/cmd/github.go @@ -80,13 +80,13 @@ func githubGetBasicAuth() (string, error) { } githubUsername = creds.Username - githubPassword = creds.Password + githubPassword = creds.Password //Not a secret but logic for a secret //pragma: allowlist secret } - auth := fmt.Sprintf("%v:%v", githubUsername, githubPassword) + auth := fmt.Sprintf("%v:%v", githubUsername, githubPassword) //Not a secret but logic for a secret //pragma: allowlist secret sEnc := base64.StdEncoding.EncodeToString([]byte(auth)) - basicAuth := fmt.Sprintf("Basic %v", sEnc) + basicAuth := fmt.Sprintf("Basic %v", sEnc) //Not a secret but logic for a secret //pragma: allowlist secret return basicAuth, nil } diff --git a/pkg/cmd/maven.go b/pkg/cmd/maven.go index 00a1e62..4341803 100644 --- a/pkg/cmd/maven.go +++ b/pkg/cmd/maven.go @@ -79,13 +79,13 @@ func mavenGetBasicAuth() (string, error) { } mavenUsername = creds.Username - mavenPassword = creds.Password + mavenPassword = creds.Password //Not a secret but logic for a secret //pragma: allowlist secret } - auth := fmt.Sprintf("%v:%v", mavenUsername, mavenPassword) + auth := fmt.Sprintf("%v:%v", mavenUsername, mavenPassword) //Not a secret but logic for a secret //pragma: allowlist secret sEnc := base64.StdEncoding.EncodeToString([]byte(auth)) - basicAuth := fmt.Sprintf("Basic %v", sEnc) + basicAuth := fmt.Sprintf("Basic %v", sEnc) //Not a secret but logic for a secret //pragma: allowlist secret return basicAuth, nil } diff --git a/tests.yaml b/tests.yaml index 07ef548..a523952 100644 --- a/tests.yaml +++ b/tests.yaml @@ -15,7 +15,7 @@ tests: galasaecosystem.docker.version: codecov galasaecosystem.runtime.repository: http://development.galasa.dev/codecov/maven-repo/obr java.jacoco.code.coverage: "true" - java.jacoco.save.credentials: JACOCO + java.jacoco.save.credentials: JACOCO #Not a secret but a name for a credential value #pragma: allowlist secret java.jacoco.save.location: https://nexus.galasa.dev/repository/jacoco/codecov/execs zos.dse.tag.PRIMARY.clusterid: PLEX2 zos.dse.tag.PRIMARY.imageid: MV2D