GitLeaks - Secret Scanning

.github/workflows/gitleaks.yml

@@ -0,0 +1,15 @@
+name: gitleaks
+on: [pull_request, push, workflow_dispatch]
+jobs:
+  scan:
+    name: gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}
+          GITLEAKS_NOTIFY_USER_LIST: '@sandergi'

.gitleaksignore

@@ -0,0 +1,21 @@
+4749e3ef005e8ddc6562d1bd82a00e752a7e94e3:explore.py:aws-access-token:16
+4749e3ef005e8ddc6562d1bd82a00e752a7e94e3:explore.py:private-key:23
+4749e3ef005e8ddc6562d1bd82a00e752a7e94e3:explore.py:generic-api-key:32
+b0c80dac8e22faafa319d5466947df8723dfaa4a:daras_ai_v2/img_model_settings_widgets.py:generic-api-key:372
+8670036e722f40530dbff3e0e7573e9b5aac85c9:routers/slack.py:slack-webhook-url:73
+b6ad1fc0168832711adcff07287907660f3305fb:bots/location.py:generic-api-key:12
+8c05ec8320a866304842fb5f4df76e0698f1031f:bots/analysis.py:generic-api-key:5
+1c03d569dd30bb9703e4ff968a57a05eb405e398:bots/signals.py:generic-api-key:11
+5e3dd6cf0da20b3e5b1daaca41ad126bc489fbf3:static/js/auth.js:generic-api-key:2
+87e443addbbc49746ab3088307a59b3e2fc2d177:recipes/CompareText2Img.py:generic-api-key:97
+1f109a743b1781c7a21c1b0ca6a3f880f7f7dc84:recipes/CompareText2Img.py:generic-api-key:77
+d18d8b9bb18a9ff8248b16b26f0455f7826ce23a:recipes/CompareText2Img.py:generic-api-key:85
+5471a8ac2d60026b24f21b51ae6f11db8acd160c:pages/CompareText2Img.py:generic-api-key:92
+5471a8ac2d60026b24f21b51ae6f11db8acd160c:daras_ai_v2/img_model_settings_widgets.py:generic-api-key:90
+6fca6072032e4f34d7d571e7de8e0ff05f7a487b:static/js/auth.js:generic-api-key:2
+2292469b22d97263c7c59cf49fae7281ce96a39c:pages/CompareText2Img.py:generic-api-key:137
+aae9d67ed6330a3eb2ede41d5ceeca52a8f0daf4:static/js/auth.js:gcp-api-key:2
+d5866242d107743ab5eebeb284e7e5ee2426d941:pages/SocialLookupEmail.py:generic-api-key:181
+73bef8c3be7682fed0b99ceb6770f599eabbbd08:daras_ai_v2/send_email.py:generic-api-key:25
+fa3f7982fa1527838c2073d2542c83887cc6ebbd:pages/EmailFaceInpainting.py:generic-api-key:189
+e1c218882d288ca1df0225654aae8dd10027e9d0:political_example.py:jwt:30

.pre-commit-config.yaml

@@ -2,7 +2,7 @@
 # See https://pre-commit.com/hooks.html for more hooks
 repos:
 -   repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v3.2.0
+    rev: v4.6.0
     hooks:
     -   id: end-of-file-fixer
     -   id: check-yaml
@@ -13,3 +13,7 @@ repos:
         entry: poetry run black
         language: system
         types: [python]
+-   repo: https://github.com/gitleaks/gitleaks
+    rev: v8.18.4
+    hooks:
+    -   id: gitleaks

README.md

@@ -208,3 +208,9 @@ docker run \
 ### 📐 Code Formatting
 
 Use black - https://pypi.org/project/black
+
+### 💣 Secret Scanning
+
+Gitleaks will automatically run pre-commit (see `pre-commit-config.yaml` for details) to prevent commits with secrets in the first place. To test this without committing, run `pre-commit` from the terminal. To skip this check, use `SKIP=gitleaks git commit -m "message"` to commit changes. Preferably, label false positives with the `#gitleaks:allow` comment instead of skipping the check.
+
+Gitleaks will also run in the CI pipeline as a GitHub action on push and pull request (can also be manually triggered in the actions tab on GitHub). To update the baseline of ignored secrets, run `python ./scripts/create_gitleaks_baseline.py` from the venv and commit the changes to `.gitleaksignore`.

scripts/create_gitleaks_baseline.py

@@ -0,0 +1,18 @@
+#!/usr/bin/env python3
+
+import subprocess
+import json
+
+# create a baseline file
+subprocess.run(
+    ["gitleaks", "detect", "--report-path", "gitleaks-baseline.json"],
+)
+
+# parse the baseline file
+with open("gitleaks-baseline.json") as f:
+    baseline = json.load(f)
+
+# output list of "Fingerprint"s to .gitleaksignore
+with open(".gitleaksignore", "w") as f:
+    for leak in baseline:
+        f.write(leak["Fingerprint"] + "\n")