diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml new file mode 100644 index 000000000..79ffcb1a2 --- /dev/null +++ b/.github/workflows/gitleaks.yml @@ -0,0 +1,15 @@ +name: gitleaks +on: [pull_request, push, workflow_dispatch] +jobs: + scan: + name: gitleaks + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} + GITLEAKS_NOTIFY_USER_LIST: '@sandergi' diff --git a/.gitleaksignore b/.gitleaksignore new file mode 100644 index 000000000..022ac599f --- /dev/null +++ b/.gitleaksignore @@ -0,0 +1,21 @@ +4749e3ef005e8ddc6562d1bd82a00e752a7e94e3:explore.py:aws-access-token:16 +4749e3ef005e8ddc6562d1bd82a00e752a7e94e3:explore.py:private-key:23 +4749e3ef005e8ddc6562d1bd82a00e752a7e94e3:explore.py:generic-api-key:32 +b0c80dac8e22faafa319d5466947df8723dfaa4a:daras_ai_v2/img_model_settings_widgets.py:generic-api-key:372 +8670036e722f40530dbff3e0e7573e9b5aac85c9:routers/slack.py:slack-webhook-url:73 +b6ad1fc0168832711adcff07287907660f3305fb:bots/location.py:generic-api-key:12 +8c05ec8320a866304842fb5f4df76e0698f1031f:bots/analysis.py:generic-api-key:5 +1c03d569dd30bb9703e4ff968a57a05eb405e398:bots/signals.py:generic-api-key:11 +5e3dd6cf0da20b3e5b1daaca41ad126bc489fbf3:static/js/auth.js:generic-api-key:2 +87e443addbbc49746ab3088307a59b3e2fc2d177:recipes/CompareText2Img.py:generic-api-key:97 +1f109a743b1781c7a21c1b0ca6a3f880f7f7dc84:recipes/CompareText2Img.py:generic-api-key:77 +d18d8b9bb18a9ff8248b16b26f0455f7826ce23a:recipes/CompareText2Img.py:generic-api-key:85 +5471a8ac2d60026b24f21b51ae6f11db8acd160c:pages/CompareText2Img.py:generic-api-key:92 +5471a8ac2d60026b24f21b51ae6f11db8acd160c:daras_ai_v2/img_model_settings_widgets.py:generic-api-key:90 +6fca6072032e4f34d7d571e7de8e0ff05f7a487b:static/js/auth.js:generic-api-key:2 +2292469b22d97263c7c59cf49fae7281ce96a39c:pages/CompareText2Img.py:generic-api-key:137 +aae9d67ed6330a3eb2ede41d5ceeca52a8f0daf4:static/js/auth.js:gcp-api-key:2 +d5866242d107743ab5eebeb284e7e5ee2426d941:pages/SocialLookupEmail.py:generic-api-key:181 +73bef8c3be7682fed0b99ceb6770f599eabbbd08:daras_ai_v2/send_email.py:generic-api-key:25 +fa3f7982fa1527838c2073d2542c83887cc6ebbd:pages/EmailFaceInpainting.py:generic-api-key:189 +e1c218882d288ca1df0225654aae8dd10027e9d0:political_example.py:jwt:30 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 65af59112..1bc20673c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -2,7 +2,7 @@ # See https://pre-commit.com/hooks.html for more hooks repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v3.2.0 + rev: v4.6.0 hooks: - id: end-of-file-fixer - id: check-yaml @@ -13,3 +13,7 @@ repos: entry: poetry run black language: system types: [python] +- repo: https://github.com/gitleaks/gitleaks + rev: v8.18.4 + hooks: + - id: gitleaks diff --git a/README.md b/README.md index b3ddddba0..299c84839 100644 --- a/README.md +++ b/README.md @@ -208,3 +208,9 @@ docker run \ ### 📐 Code Formatting Use black - https://pypi.org/project/black + +### 💣 Secret Scanning + +Gitleaks will automatically run pre-commit (see `pre-commit-config.yaml` for details) to prevent commits with secrets in the first place. To test this without committing, run `pre-commit` from the terminal. To skip this check, use `SKIP=gitleaks git commit -m "message"` to commit changes. Preferably, label false positives with the `#gitleaks:allow` comment instead of skipping the check. + +Gitleaks will also run in the CI pipeline as a GitHub action on push and pull request (can also be manually triggered in the actions tab on GitHub). To update the baseline of ignored secrets, run `python ./scripts/create_gitleaks_baseline.py` from the venv and commit the changes to `.gitleaksignore`. diff --git a/scripts/create_gitleaks_baseline.py b/scripts/create_gitleaks_baseline.py new file mode 100644 index 000000000..8e5979185 --- /dev/null +++ b/scripts/create_gitleaks_baseline.py @@ -0,0 +1,18 @@ +#!/usr/bin/env python3 + +import subprocess +import json + +# create a baseline file +subprocess.run( + ["gitleaks", "detect", "--report-path", "gitleaks-baseline.json"], +) + +# parse the baseline file +with open("gitleaks-baseline.json") as f: + baseline = json.load(f) + +# output list of "Fingerprint"s to .gitleaksignore +with open(".gitleaksignore", "w") as f: + for leak in baseline: + f.write(leak["Fingerprint"] + "\n")