testing detect-secrets with java

nasa-pds-engineering-node · Nov 9, 2023 · f914168 · f914168
1 parent 8f3a616
commit f914168
Show file tree

Hide file tree

Showing 3 changed files with 186 additions and 14 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -7,7 +7,7 @@
 #
 # Currently for Java repositories, we support the following hooks:
 #
-# - Git Secrets (https://github.com/awslabs/git-secrets)
+# - Detect Secrets (https://nasa-ammos.github.io/slim/docs/guides/software-lifecycle/security/secrets-detection/)
 #
 # Future hooks could include: trailing whitespace alerts, executable shebangs,
 # debug statements left in code, Google code style adherence, etc.
@@ -17,12 +17,17 @@
 
 repos:
     -
-        # Git Secrets: prevent API keys, passwords, etc.
-        repo: https://github.com/awslabs/git-secrets.git
-        rev: b9e96b3212fa06aea65964ff0d5cda84ce935f38
+        repo: https://github.com/NASA-AMMOS/slim-detect-secrets
+        # using commit id for now, will change to tag when official version is released
+        rev: 91e097ad4559ae6ab785c883dc5ed989202c7fbe
         hooks:
-            -
-                id: git-secrets
+          - id: detect-secrets
+            args:
+              - '--baseline'
+              - '.secrets.baseline'
+              - --exclude-files '\.secrets..*'
+              - --exclude-files '\.git.*'
+              - --exclude-files 'target'
 
 ...
 

diff --git a/.secrets.baseline b/.secrets.baseline
@@ -0,0 +1,147 @@
+{
+  "version": "1.4.0",
+  "plugins_used": [
+    {
+      "name": "AbsolutePathDetectorExperimental"
+    },
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AWSSensitiveInfoDetectorExperimental"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "EmailAddressDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "IPPublicDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".secrets.baseline"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    },
+    {
+      "path": "detect_secrets.filters.regex.should_exclude_file",
+      "pattern": [
+        "\\.secrets..*",
+        "\\.git.*",
+        "target"
+      ]
+    }
+  ],
+  "results": {
+    ".pre-commit-config.yaml": [
+      {
+        "type": "Hex High Entropy String",
+        "filename": ".pre-commit-config.yaml",
+        "hashed_secret": "63076edad0be7557f5fbd9b60bc1ffa664fce207",
+        "is_verified": false,
+        "line_number": 22,
+        "is_secret": false
+      }
+    ]
+  },
+  "generated_at": "2023-11-09T15:47:32Z"
+}
diff --git a/README.md b/README.md
@@ -84,23 +84,43 @@ to produce a complete package. This runs all the phases necessary, including com
 
 #### 🪝 Pre-Commit Hooks
 
-This package comes with a configuration for [Pre-Commit](https://pre-commit.com/), a system for automating and standardizing `git` hooks for code linting, security scanning, etc. Here in this Java template repository, we use Pre-Commit with [Git Secrets](https://github.com/awslabs/git-secrets) to prevent the accidental committing or commit messages containing secrets like API keys and passwords.
+This package comes with a configuration for [Pre-Commit](https://pre-commit.com/), a system for automating and standardizing `git` hooks for code linting, security scanning, etc. Here in this Java template repository, we use Pre-Commit with [Detect Secrets](https://nasa-ammos.github.io/slim/docs/guides/software-lifecycle/security/secrets-detection/) to prevent the accidental committing or commit messages containing secrets like API keys and passwords.
 
-Pre-Commit is language-neutral, but is itself written in Python. To take advantage of Pre-Commit, you'll need a nearby Python installation. A recommended way to do this is with a virtual Python environment. Using the command line interface, run:
+Pre-Commit and `detect-secrets` are language-neutral, but they themselves are written in Python. To take advantage of these features, you'll need a nearby Python installation. A recommended way to do this is with a virtual Python environment. Using the command line interface, run:
 
 ```console
 $ python -m venv .venv
 $ source .venv/bin/activate   # Use source .venv/bin/activate.csh if you're using a C-style shell
-$ pip install pre-commit
-$ pre-commit install
-$ pre-commit install -t pre-push
-$ pre-commit install -t prepare-commit-msg
-$ pre-commit install -t commit-msg
+$ pip install pre-commit https://github.com/NASA-AMMOS/slim-detect-secrets.git@exp
 ```
 
+You can then establish a secrets baseline in your Maven-based repository:
+
+    detect-secrets scan . \
+        --all-files \
+        --disable-plugin AbsolutePathDetectorExperimental \
+        --exclude-files '\.secrets..*' \
+        --exclude-files '\.git.*' \
+        --exclude-files 'target' > .secrets.baseline
+
+Review the secrets to determine which should be allowed and which are false positives:
+
+    detect-secrets audit .secrets.baseline
+
+Please remove any secrets that should not be seen by the public. You can then add the baseline file to the commit:
+
+    git add .secrets.baseline
+
+Finally, install the pre-commit hooks:
+
+    pre-commit install
+    pre-commit install -t pre-push
+    pre-commit install -t prepare-commit-msg
+    pre-commit install -t commit-msg
+
 You can then work normally. Pre-commit will run automatically during `git commit` and `git push` so long as the Python virtual environment is active.
 
-👉 **Note:** For Git Secrets to work, there is a one-time setup required to your personal global Git configuration. See [the wiki entry on Git Secrets](https://github.com/NASA-PDS/nasa-pds.github.io/wiki/Git-and-Github-Guide#git-secrets) to learn how to do this.
+👉 **Note:** For Detect Secrets to work, there is a one-time setup required to your personal global Git configuration. See [the wiki entry on Detect Secrets](https://github.com/NASA-PDS/nasa-pds.github.io/wiki/Git-and-Github-Guide#detect-secrets) to learn how to do this.
 
 
 ### 🚅 Continuous Integration & Deployment