From 9818863dcdc077ce7e4a2c5c5d252907833025a5 Mon Sep 17 00:00:00 2001 From: Alexander Metzger Date: Thu, 8 Aug 2024 13:33:19 -0700 Subject: [PATCH] gitleaks secret scanning --- .dockerignore | 3 ++- .github/workflows/gitleaks.yml | 15 +++++++++++++++ .gitignore | 2 ++ .gitleaksignore | 0 .pre-commit-config.yaml | 12 ++++++++++++ README.md | 4 +++- scripts/create_gitleaks_baseline.py | 18 ++++++++++++++++++ 7 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/gitleaks.yml create mode 100644 .gitleaksignore create mode 100644 .pre-commit-config.yaml create mode 100644 scripts/create_gitleaks_baseline.py diff --git a/.dockerignore b/.dockerignore index 1a53453..f4bcb25 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1 +1,2 @@ -checkpoints/ \ No newline at end of file +checkpoints/ +.github diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml new file mode 100644 index 0000000..79ffcb1 --- /dev/null +++ b/.github/workflows/gitleaks.yml @@ -0,0 +1,15 @@ +name: gitleaks +on: [pull_request, push, workflow_dispatch] +jobs: + scan: + name: gitleaks + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} + GITLEAKS_NOTIFY_USER_LIST: '@sandergi' diff --git a/.gitignore b/.gitignore index 29fce86..8a223aa 100644 --- a/.gitignore +++ b/.gitignore @@ -206,5 +206,7 @@ cython_debug/ # Poetry local configuration file - https://python-poetry.org/docs/configuration/#local-configuration poetry.toml +# Gitleaks +gitleaks-baseline.json # End of https://www.toptal.com/developers/gitignore/api/python,macOS diff --git a/.gitleaksignore b/.gitleaksignore new file mode 100644 index 0000000..e69de29 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..0c96d1a --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,12 @@ +# See https://pre-commit.com for more information +# See https://pre-commit.com/hooks.html for more hooks +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.6.0 + hooks: + - id: end-of-file-fixer + - id: check-yaml +- repo: https://github.com/gitleaks/gitleaks + rev: v8.18.4 + hooks: + - id: gitleaks diff --git a/README.md b/README.md index 135723c..5c7e31b 100644 --- a/README.md +++ b/README.md @@ -273,6 +273,8 @@ The recommended way to turn a set of research scripts like [Wav2Lip](https://git 4. Once you have these written, you can follow the same steps as the common models to deploy the model. +### 💣 Secret Scanning +Gitleaks will automatically run pre-commit (see `pre-commit-config.yaml` for details) to prevent commits with secrets in the first place. To test this without committing, run `pre-commit` from the terminal. To skip this check, use `SKIP=gitleaks git commit -m "message"` to commit changes. Preferably, label false positives with the `#gitleaks:allow` comment instead of skipping the check. - +Gitleaks will also run in the CI pipeline as a GitHub action on push and pull request (can also be manually triggered in the actions tab on GitHub). To update the baseline of ignored secrets, run `python ./scripts/create_gitleaks_baseline.py` from the venv and commit the changes to `.gitleaksignore`. diff --git a/scripts/create_gitleaks_baseline.py b/scripts/create_gitleaks_baseline.py new file mode 100644 index 0000000..8e59791 --- /dev/null +++ b/scripts/create_gitleaks_baseline.py @@ -0,0 +1,18 @@ +#!/usr/bin/env python3 + +import subprocess +import json + +# create a baseline file +subprocess.run( + ["gitleaks", "detect", "--report-path", "gitleaks-baseline.json"], +) + +# parse the baseline file +with open("gitleaks-baseline.json") as f: + baseline = json.load(f) + +# output list of "Fingerprint"s to .gitleaksignore +with open(".gitleaksignore", "w") as f: + for leak in baseline: + f.write(leak["Fingerprint"] + "\n")