monorepo wide security scanning

.secrets.baseline

@@ -108,5 +108,5 @@
     }
   ],
   "results": {},
-  "generated_at": "2023-07-03T15:47:42Z"
+  "generated_at": "2023-07-04T14:44:15Z"
 }

Makefile

@@ -11,6 +11,15 @@ help: 				## List targets and description
 precommit:
 	pre-commit install
 
+detect-secrets:
+	@git ls-files -z | xargs -0 detect-secrets-hook --baseline .secrets.baseline
+
+ignore-secrets:
+	detect-secrets scan > .secrets.baseline
+
+detect-vulnerabilities:
+	bandit -qr api/api sdk/rapid
+
 ##
 ##----- API -----
 ##
@@ -33,19 +42,6 @@ api-test-e2e-focus:		## Run api python e2e tests marked with `@pytest.mark.focus
 
 # API Security --------------------
 ##
-api-security:			## Run api security checks
-	@$(MAKE) api-detect-secrets
-	@$(MAKE) api-detect-vulns
-
-api-detect-secrets:		## Check api source code for possible secrets
-	@cd api/; ./batect detect-secrets
-
-api-ignore-secrets:		## Mark api detected non-secrets as ignored
-	@cd api/; ./batect ignore-secrets
-
-api-detect-vulns:		## Check api source code for common vulnerabilities
-	@cd api/; ./batect detect-vulnerabilities
-
 api-scan-for-vulns-and-tag:	## Scan api ecr for latest image and tag as vulnerable
 	@cd api/; ./image-utils.sh "pipeline_post_scanning_processing"
 

api/batect.yml

@@ -103,24 +103,6 @@ tasks:
       container: service-image
       command: "pytest --durations=5 --cov=api --cov-report term-missing test/api"
 
-  detect-secrets:
-    description: Detect tracked files for secrets
-    run:
-      container: service-image
-      command: sh -c 'git ls-files -z -- . ':!:*.drawio' | xargs -0 detect-secrets-hook --baseline .secrets.baseline'
-
-  ignore-secrets:
-    description: Ignore detected secrets (add them to the .secrets.baseline file)
-    run:
-      container: service-image
-      command: bash -c 'detect-secrets scan > .secrets.baseline'
-
-  detect-vulnerabilities:
-    description: Detect common vulnerabilities
-    run:
-      container: service-image
-      command: "bandit -qr api"
-
   lint:
     description: Lint the source and test code
     run:

infrastructure/Makefile

@@ -1,15 +1,3 @@
-.PHONY: help
-
-help: 		## List targets and description
-	@fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/\\$$//' | sed -e 's/##//'
-
-##
-detect-secrets: 		## Check source code for possible secrets
-	@./batect detect-secrets
-
-ignore-secrets: 		## Mark detected non-secrets as ignored
-	@./batect ignore-secrets
-
 release:       ## Release
 	@git checkout ${commit}
 	@git tag -a "${version}" -m "Release tag for version ${version}"

infrastructure/batect.yml

@@ -8,18 +8,6 @@ containers:
         container: /src
 
 tasks:
-  detect-secrets:
-    description: Detect tracked files for secrets
-    run:
-      container: utility
-      command: sh -c 'git ls-files -z | xargs -0 detect-secrets-hook --baseline .secrets.baseline'
-
-  ignore-secrets:
-    description: Ignore detected secrets (add them to the .secrets.baseline file)
-    run:
-      container: utility
-      command: bash -c 'detect-secrets scan > .secrets.baseline'
-
   security-scan:
     description: Scan the terraform stack for security vulnerabilities
     run:

sdk/docs/source/index.rst

@@ -34,9 +34,9 @@ If you do not want to use environment variables (however this is discouraged as
 values directly to the class as follows.::
 
    rapid_authentication = RapidAuth(
-      client_id="RAPID_CLIENT_ID",
-      client_secret="RAPID_CLIENT_SECRET",
-      url="RAPID_URL"
+      client_id=os.getenv("RAPID_CLIENT_ID"),
+      client_secret=os.getenv("RAPID_CLIENT_SECRET"),
+      url=os.getenv("RAPID_URL")
    )
 
 Generate Schema

ui/src/__tests__/subject/create.test.tsx

@@ -81,7 +81,7 @@ describe('Page: Subject Create', () => {
   describe('on submit', () => {
     const mockData = {
       client_name: 'James Bond',
-      client_secret: 'secret-code-word',
+      client_secret: 'secret-code-word', // pragma: allowlist secret
       client_id: 'id-abc123',
       permissions: ['DATA_ADMIN', 'READ_PRIVATE']
     }