infrastructure: galasa repo doesn't have detect secrets working yet.

[techcobweb]

Story

As a galasa developer I want detectSecrets to be configured to run automatically, so that any secrets which are checked-in are detected and fail builds.

Background

We used to have detectSecrets working on the repositories.

It requires a secrets baseline to be created and put into the root folder

All of the build-locally scripts within the gradle repository need adjusting to:

• If a chained build-locally is running through all the modules, scan the entire repo at the end.
• If the build-locally is not being run as part of the chain, scan the entire repo at the end.

eg: Use an environment variable to figure out if it's chaining builds together or not.
So that the scanning of the entire repo is done only once when you run local build scripts.

Make sure that the tool is configured on the repo within github ?

A bit more digging. This is the actual tool we are using I hope: https://github.com/IBM/detect-secrets

Tasks

• A separate script is created and added to /galasa/tools detect-secrets.sh
• That tool should :
  • check for pip and fail if it's not installed
  • use pip to figure out if detect secrets tool is installed yet, if not install it.
  • run the detect secrets tool from the root folder.
• The overall /galasa/tools/build-locally.sh runs tool at the end, keeping the baseline in the root folder.
• The existing baselines are removed from each sub-module.
• Each of the sub-module build-locally.sh scripts call the overall detect-secrets.sh script if they are not being executed in 'chained' mode from the top level.
• The build process for all the github repos also runs detect-secrets tool from github actions.
  • galasa repo
  • cli repo
  • helm repo
  • ...etc.
• Investigate whether the script can check and help install the pre-commit hook ?