Skip to content

Commit

Permalink
gitleaks secret scanning
Browse files Browse the repository at this point in the history
  • Loading branch information
SanderGi authored and devxpy committed Aug 12, 2024
1 parent c74ac4a commit beaaafd
Show file tree
Hide file tree
Showing 7 changed files with 52 additions and 2 deletions.
3 changes: 2 additions & 1 deletion .dockerignore
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
checkpoints/
checkpoints/
.github
15 changes: 15 additions & 0 deletions .github/workflows/gitleaks.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
name: gitleaks
on: [pull_request, push, workflow_dispatch]
jobs:
scan:
name: gitleaks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}
GITLEAKS_NOTIFY_USER_LIST: '@sandergi'
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -206,5 +206,7 @@ cython_debug/
# Poetry local configuration file - https://python-poetry.org/docs/configuration/#local-configuration
poetry.toml

# Gitleaks
gitleaks-baseline.json

# End of https://www.toptal.com/developers/gitignore/api/python,macOS
Empty file added .gitleaksignore
Empty file.
12 changes: 12 additions & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# See https://pre-commit.com for more information
# See https://pre-commit.com/hooks.html for more hooks
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.6.0
hooks:
- id: end-of-file-fixer
- id: check-yaml
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.4
hooks:
- id: gitleaks
4 changes: 3 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -273,6 +273,8 @@ The recommended way to turn a set of research scripts like [Wav2Lip](https://git
4. Once you have these written, you can follow the same steps as the common models to deploy the model.
### 💣 Secret Scanning
Gitleaks will automatically run pre-commit (see `pre-commit-config.yaml` for details) to prevent commits with secrets in the first place. To test this without committing, run `pre-commit` from the terminal. To skip this check, use `SKIP=gitleaks git commit -m "message"` to commit changes. Preferably, label false positives with the `#gitleaks:allow` comment instead of skipping the check.
Gitleaks will also run in the CI pipeline as a GitHub action on push and pull request (can also be manually triggered in the actions tab on GitHub). To update the baseline of ignored secrets, run `python ./scripts/create_gitleaks_baseline.py` from the venv and commit the changes to `.gitleaksignore`.
18 changes: 18 additions & 0 deletions scripts/create_gitleaks_baseline.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
#!/usr/bin/env python3

import subprocess
import json

# create a baseline file
subprocess.run(
["gitleaks", "detect", "--report-path", "gitleaks-baseline.json"],
)

# parse the baseline file
with open("gitleaks-baseline.json") as f:
baseline = json.load(f)

# output list of "Fingerprint"s to .gitleaksignore
with open(".gitleaksignore", "w") as f:
for leak in baseline:
f.write(leak["Fingerprint"] + "\n")

0 comments on commit beaaafd

Please sign in to comment.