From 93d7c70bdaed0e938b172eab4e82a85fc908c154 Mon Sep 17 00:00:00 2001
From: Toby Drane <tdrane@no10.gov.uk>
Date: Tue, 4 Jul 2023 16:53:14 +0100
Subject: [PATCH] monorepo wide security scanning

---
 .secrets.baseline                        |  2 +-
 Makefile                                 | 22 +++++++++-------------
 api/batect.yml                           | 18 ------------------
 infrastructure/Makefile                  | 12 ------------
 infrastructure/batect.yml                | 12 ------------
 sdk/docs/source/index.rst                |  6 +++---
 ui/src/__tests__/subject/create.test.tsx |  2 +-
 7 files changed, 14 insertions(+), 60 deletions(-)

diff --git a/.secrets.baseline b/.secrets.baseline
index 91e6d42..d7615cd 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -108,5 +108,5 @@
     }
   ],
   "results": {},
-  "generated_at": "2023-07-03T15:47:42Z"
+  "generated_at": "2023-07-04T14:44:15Z"
 }
diff --git a/Makefile b/Makefile
index a480d76..fa9acc2 100644
--- a/Makefile
+++ b/Makefile
@@ -11,6 +11,15 @@ help: 				## List targets and description
 precommit:
 	pre-commit install
 
+detect-secrets:
+	@git ls-files -z | xargs -0 detect-secrets-hook --baseline .secrets.baseline
+
+ignore-secrets:
+	detect-secrets scan > .secrets.baseline
+
+detect-vulnerabilities:
+	bandit -qr api/api sdk/rapid
+
 ##
 ##----- API -----
 ##
@@ -33,19 +42,6 @@ api-test-e2e-focus:		## Run api python e2e tests marked with `@pytest.mark.focus
 
 # API Security --------------------
 ##
-api-security:			## Run api security checks
-	@$(MAKE) api-detect-secrets
-	@$(MAKE) api-detect-vulns
-
-api-detect-secrets:		## Check api source code for possible secrets
-	@cd api/; ./batect detect-secrets
-
-api-ignore-secrets:		## Mark api detected non-secrets as ignored
-	@cd api/; ./batect ignore-secrets
-
-api-detect-vulns:		## Check api source code for common vulnerabilities
-	@cd api/; ./batect detect-vulnerabilities
-
 api-scan-for-vulns-and-tag:	## Scan api ecr for latest image and tag as vulnerable
 	@cd api/; ./image-utils.sh "pipeline_post_scanning_processing"
 
diff --git a/api/batect.yml b/api/batect.yml
index 3886dcf..505403d 100644
--- a/api/batect.yml
+++ b/api/batect.yml
@@ -103,24 +103,6 @@ tasks:
       container: service-image
       command: "pytest --durations=5 --cov=api --cov-report term-missing test/api"
 
-  detect-secrets:
-    description: Detect tracked files for secrets
-    run:
-      container: service-image
-      command: sh -c 'git ls-files -z -- . ':!:*.drawio' | xargs -0 detect-secrets-hook --baseline .secrets.baseline'
-
-  ignore-secrets:
-    description: Ignore detected secrets (add them to the .secrets.baseline file)
-    run:
-      container: service-image
-      command: bash -c 'detect-secrets scan > .secrets.baseline'
-
-  detect-vulnerabilities:
-    description: Detect common vulnerabilities
-    run:
-      container: service-image
-      command: "bandit -qr api"
-
   lint:
     description: Lint the source and test code
     run:
diff --git a/infrastructure/Makefile b/infrastructure/Makefile
index c6bceb0..b5ee813 100644
--- a/infrastructure/Makefile
+++ b/infrastructure/Makefile
@@ -1,15 +1,3 @@
-.PHONY: help
-
-help: 		## List targets and description
-	@fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/\\$$//' | sed -e 's/##//'
-
-##
-detect-secrets: 		## Check source code for possible secrets
-	@./batect detect-secrets
-
-ignore-secrets: 		## Mark detected non-secrets as ignored
-	@./batect ignore-secrets
-
 release:       ## Release
 	@git checkout ${commit}
 	@git tag -a "${version}" -m "Release tag for version ${version}"
diff --git a/infrastructure/batect.yml b/infrastructure/batect.yml
index 7a760ee..1c33378 100644
--- a/infrastructure/batect.yml
+++ b/infrastructure/batect.yml
@@ -8,18 +8,6 @@ containers:
         container: /src
 
 tasks:
-  detect-secrets:
-    description: Detect tracked files for secrets
-    run:
-      container: utility
-      command: sh -c 'git ls-files -z | xargs -0 detect-secrets-hook --baseline .secrets.baseline'
-
-  ignore-secrets:
-    description: Ignore detected secrets (add them to the .secrets.baseline file)
-    run:
-      container: utility
-      command: bash -c 'detect-secrets scan > .secrets.baseline'
-
   security-scan:
     description: Scan the terraform stack for security vulnerabilities
     run:
diff --git a/sdk/docs/source/index.rst b/sdk/docs/source/index.rst
index de9a968..9c043da 100644
--- a/sdk/docs/source/index.rst
+++ b/sdk/docs/source/index.rst
@@ -34,9 +34,9 @@ If you do not want to use environment variables (however this is discouraged as
 values directly to the class as follows.::
 
    rapid_authentication = RapidAuth(
-      client_id="RAPID_CLIENT_ID",
-      client_secret="RAPID_CLIENT_SECRET",
-      url="RAPID_URL"
+      client_id=os.getenv("RAPID_CLIENT_ID"),
+      client_secret=os.getenv("RAPID_CLIENT_SECRET"),
+      url=os.getenv("RAPID_URL")
    )
 
 Generate Schema
diff --git a/ui/src/__tests__/subject/create.test.tsx b/ui/src/__tests__/subject/create.test.tsx
index bfd2259..fea2228 100644
--- a/ui/src/__tests__/subject/create.test.tsx
+++ b/ui/src/__tests__/subject/create.test.tsx
@@ -81,7 +81,7 @@ describe('Page: Subject Create', () => {
   describe('on submit', () => {
     const mockData = {
       client_name: 'James Bond',
-      client_secret: 'secret-code-word',
+      client_secret: 'secret-code-word', // pragma: allowlist secret
       client_id: 'id-abc123',
       permissions: ['DATA_ADMIN', 'READ_PRIVATE']
     }