From f914168be4eacdec51ba0292e2c95c3cf1a90ebe Mon Sep 17 00:00:00 2001 From: Sean Kelly Date: Thu, 9 Nov 2023 09:47:47 -0600 Subject: [PATCH] testing detect-secrets with java --- .pre-commit-config.yaml | 17 +++-- .secrets.baseline | 147 ++++++++++++++++++++++++++++++++++++++++ README.md | 36 +++++++--- 3 files changed, 186 insertions(+), 14 deletions(-) create mode 100644 .secrets.baseline diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9794d50..b19a0fc 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ # # Currently for Java repositories, we support the following hooks: # -# - Git Secrets (https://github.com/awslabs/git-secrets) +# - Detect Secrets (https://nasa-ammos.github.io/slim/docs/guides/software-lifecycle/security/secrets-detection/) # # Future hooks could include: trailing whitespace alerts, executable shebangs, # debug statements left in code, Google code style adherence, etc. @@ -17,12 +17,17 @@ repos: - - # Git Secrets: prevent API keys, passwords, etc. - repo: https://github.com/awslabs/git-secrets.git - rev: b9e96b3212fa06aea65964ff0d5cda84ce935f38 + repo: https://github.com/NASA-AMMOS/slim-detect-secrets + # using commit id for now, will change to tag when official version is released + rev: 91e097ad4559ae6ab785c883dc5ed989202c7fbe hooks: - - - id: git-secrets + - id: detect-secrets + args: + - '--baseline' + - '.secrets.baseline' + - --exclude-files '\.secrets..*' + - --exclude-files '\.git.*' + - --exclude-files 'target' ... diff --git a/.secrets.baseline b/.secrets.baseline new file mode 100644 index 0000000..fbf508f --- /dev/null +++ b/.secrets.baseline @@ -0,0 +1,147 @@ +{ + "version": "1.4.0", + "plugins_used": [ + { + "name": "AbsolutePathDetectorExperimental" + }, + { + "name": "ArtifactoryDetector" + }, + { + "name": "AWSKeyDetector" + }, + { + "name": "AWSSensitiveInfoDetectorExperimental" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "name": "Base64HighEntropyString", + "limit": 4.5 + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "CloudantDetector" + }, + { + "name": "DiscordBotTokenDetector" + }, + { + "name": "EmailAddressDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "name": "HexHighEntropyString", + "limit": 3.0 + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "IPPublicDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "name": "KeywordDetector", + "keyword_exclude": "" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SendGridDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "filters_used": [ + { + "path": "detect_secrets.filters.allowlist.is_line_allowlisted" + }, + { + "path": "detect_secrets.filters.common.is_baseline_file", + "filename": ".secrets.baseline" + }, + { + "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", + "min_level": 2 + }, + { + "path": "detect_secrets.filters.heuristic.is_indirect_reference" + }, + { + "path": "detect_secrets.filters.heuristic.is_likely_id_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_lock_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_potential_uuid" + }, + { + "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" + }, + { + "path": "detect_secrets.filters.heuristic.is_sequential_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_swagger_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_templated_secret" + }, + { + "path": "detect_secrets.filters.regex.should_exclude_file", + "pattern": [ + "\\.secrets..*", + "\\.git.*", + "target" + ] + } + ], + "results": { + ".pre-commit-config.yaml": [ + { + "type": "Hex High Entropy String", + "filename": ".pre-commit-config.yaml", + "hashed_secret": "63076edad0be7557f5fbd9b60bc1ffa664fce207", + "is_verified": false, + "line_number": 22, + "is_secret": false + } + ] + }, + "generated_at": "2023-11-09T15:47:32Z" +} diff --git a/README.md b/README.md index 0f0b883..0321fe8 100644 --- a/README.md +++ b/README.md @@ -84,23 +84,43 @@ to produce a complete package. This runs all the phases necessary, including com #### πŸͺΒ Pre-Commit Hooks -This package comes with a configuration for [Pre-Commit](https://pre-commit.com/), a system for automating and standardizing `git` hooks for code linting, security scanning, etc. Here in this Java template repository, we use Pre-Commit with [Git Secrets](https://github.com/awslabs/git-secrets) to prevent the accidental committing or commit messages containing secrets like API keys and passwords. +This package comes with a configuration for [Pre-Commit](https://pre-commit.com/), a system for automating and standardizing `git` hooks for code linting, security scanning, etc. Here in this Java template repository, we use Pre-Commit with [Detect Secrets](https://nasa-ammos.github.io/slim/docs/guides/software-lifecycle/security/secrets-detection/) to prevent the accidental committing or commit messages containing secrets like API keys and passwords. -Pre-Commit is language-neutral, but is itself written in Python. To take advantage of Pre-Commit, you'll need a nearby Python installation. A recommended way to do this is with a virtual Python environment. Using the command line interface, run: +Pre-Commit and `detect-secrets` are language-neutral, but they themselves are written in Python. To take advantage of these features, you'll need a nearby Python installation. A recommended way to do this is with a virtual Python environment. Using the command line interface, run: ```console $ python -m venv .venv $ source .venv/bin/activate # Use source .venv/bin/activate.csh if you're using a C-style shell -$ pip install pre-commit -$ pre-commit install -$ pre-commit install -t pre-push -$ pre-commit install -t prepare-commit-msg -$ pre-commit install -t commit-msg +$ pip install pre-commit https://github.com/NASA-AMMOS/slim-detect-secrets.git@exp ``` +You can then establish a secrets baseline in your Maven-based repository: + + detect-secrets scan . \ + --all-files \ + --disable-plugin AbsolutePathDetectorExperimental \ + --exclude-files '\.secrets..*' \ + --exclude-files '\.git.*' \ + --exclude-files 'target' > .secrets.baseline + +Review the secrets to determine which should be allowed and which are false positives: + + detect-secrets audit .secrets.baseline + +Please remove any secrets that should not be seen by the public. You can then add the baseline file to the commit: + + git add .secrets.baseline + +Finally, install the pre-commit hooks: + + pre-commit install + pre-commit install -t pre-push + pre-commit install -t prepare-commit-msg + pre-commit install -t commit-msg + You can then work normally. Pre-commit will run automatically during `git commit` and `git push` so long as the Python virtual environment is active. -πŸ‘‰ **Note:** For Git Secrets to work, there is a one-time setup required to your personal global Git configuration. See [the wiki entry on Git Secrets](https://github.com/NASA-PDS/nasa-pds.github.io/wiki/Git-and-Github-Guide#git-secrets) to learn how to do this. +πŸ‘‰ **Note:** For Detect Secrets to work, there is a one-time setup required to your personal global Git configuration. See [the wiki entry on Detect Secrets](https://github.com/NASA-PDS/nasa-pds.github.io/wiki/Git-and-Github-Guide#detect-secrets) to learn how to do this. ### πŸš… Continuous Integration & Deployment