Skip to content

Commit

Permalink
Gitleaks - Secret Scanning
Browse files Browse the repository at this point in the history
  • Loading branch information
SanderGi committed Aug 8, 2024
1 parent 321f022 commit d403045
Show file tree
Hide file tree
Showing 6 changed files with 104 additions and 0 deletions.
15 changes: 15 additions & 0 deletions .github/workflows/gitleaks.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
name: gitleaks
on: [pull_request, push, workflow_dispatch]
jobs:
scan:
name: gitleaks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}
GITLEAKS_NOTIFY_USER_LIST: '@sandergi'
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,6 @@ yarn-error.log*

# Local Netlify folder
.netlify

# Gitleaks
gitleaks-baseline.json
50 changes: 50 additions & 0 deletions .gitleaksignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
ef8fff071debf268a39a1f1b77d90fb23ae59fbd:dist/lib.js:aws-access-token:104
6313fb03fe200069806a3b894b7427f2bcfb56cd:dist/lib.js:aws-access-token:104
bcac0e1cf73f2dd06cfa383a8f372170c7921702:dist/lib.js:aws-access-token:104
94d515f3b4ff2a2555cbb50191530820439e4b31:dist/lib.js:aws-access-token:104
321f0226b6fbca0aa7e79c813ff0619ce2602925:dist/lib.js:aws-access-token:104
6a00cd357cc97456876c11c1f71c983f7c5b7526:dist/lib.js:aws-access-token:104
530c8e8598f8f015701a792023f88d26177ccd63:dist/lib.js:aws-access-token:104
aca88080c4a04c1bd580e66da2ce8074a6c9f529:dist/lib.js:aws-access-token:104
578e79faa77bfa8e64e905bb5bd244f193e539b4:dist/lib.js:aws-access-token:104
efeedce217efcb3b729057385e30644f35f66bf2:dist/lib.js:aws-access-token:104
d67b3fc1aedb30b5f5a61e7e04519aa23736deb8:dist/lib.js:aws-access-token:104
476948e4ad7cac02610332d6688ec3419a936288:dist/lib.js:aws-access-token:104
4659f0a83d8c607a2d74260ce40efe7bfa5e177a:dist/lib.js:aws-access-token:104
671d458f95a1d1e13bb891741c9ddc1cd3a08144:dist/lib.js:aws-access-token:104
7d393325a650a28db509393fcdf580f6988683c5:dist/lib.js:aws-access-token:104
21b58e963d246dcc84e852f52ec5e29b724c957e:dist/lib.js:aws-access-token:104
25ff43ff85c90e60dac7dd98d262107faaa004e6:dist/lib.js:aws-access-token:104
d77a616a146e5a03f7a9c17bd4ac080ca3a60179:dist/lib.js:aws-access-token:104
a2e43de1481998f802917a862edfa85a4cf52ac7:dist/lib.js:aws-access-token:104
381328301024a4c006ba6f896b2d875976a791ee:dist/lib.js:aws-access-token:104
1e7ab035b763d29f3e0122e4bf19fb2b27f96813:dist/lib.js:aws-access-token:104
b2481c881ecde0048e482b36c5528b08b0f448ed:dist/lib.js:aws-access-token:104
144a2eb152d157ca00ba4f5e16e83d18606b43f9:dist/lib.js:aws-access-token:104
adca3148d6136ef9ba83171b25cd63501eb19392:dist/lib.js:aws-access-token:104
f5e7f4d1d2e7d292c046f76862f554a98d03058f:dist/lib.js:aws-access-token:104
c845fda40084a5dcdd6bab4045db8ae0cbe4d31a:dist/lib.js:aws-access-token:104
2374bad5f961a770bf3a74002f6c0890e3224a16:dist/lib.js:aws-access-token:104
95c375fd6d5cb38e5815563db507c73dd5c159a8:dist/lib.js:aws-access-token:104
96873757c6c85ef767694b9279410a5033870dfc:dist/lib.js:aws-access-token:104
79c0eb05688081cc1bc9a0496bcc12f98ee30d8d:dist/lib.js:aws-access-token:45
740050b6c15f3cb15f3130f9aee5c6ec346bccc3:dist/lib.js:aws-access-token:45
d837e76993d2156cbced4a95d5a53aa8d5b7fcba:dist/lib.js:aws-access-token:45
69b54014d0d1847fb100b3b6ed12acf052710d7a:dist/lib.js:aws-access-token:1
f65e961f229a7090c999fcaff9ca1e467b48fae6:dist/lib.js:aws-access-token:1
e74ce3482a2aec6c04747a3bc8855a09894933e9:dist/style.css:aws-access-token:1
1f81fadccea4cb6ef2d8b7182a6a5e4089ddf78b:dist/style.css:aws-access-token:1
3a8de4e8ea9daadc26d4dd6346eb677c8879856b:dist/style.css:aws-access-token:1
5a7ffd250de3f3f1b713be30f2d23d2d8f041cc1:dist/style.css:aws-access-token:1
3a1c25ba03ca85942dbd7d4ebc75be66f0e2cf9e:dist/style.css:aws-access-token:1
2f4ce49db3de71b7a1f08173cbfdf708daf91093:test-site/index.html:generic-api-key:15
19b4ca3823e03e09e92c2d6d66e973b7a2e17373:.env:generic-api-key:1
5e8411da6cbea8a9b57062f82c702df484fb9726:dist/style.css:aws-access-token:1
19b4ca3823e03e09e92c2d6d66e973b7a2e17373:test-site/index.html:generic-api-key:15
830440f89d95963c409891be64642892b1268aa5:dist/style.css:aws-access-token:1
ff9c85bd7325e2eff920032d379e29d3ce325060:dist/style.css:aws-access-token:1
3a92e5782b5f334271b4794fb90120171be2b506:dist/style.css:aws-access-token:1
d0daabfed0e29ab80ba8b3af3be407bd89feb2d6:dist/style.css:aws-access-token:1
82a1a1ec7ccf34652217e2dd9125f462844ea17a:dist/style.css:aws-access-token:1
fb32f24aac5406c0b07a0c01de0f3f9886ead2f8:dist/style.css:aws-access-token:1
cbdb41c6136a71d789791b3e7e83eb12551fc8f6:dist/style.css:aws-access-token:1
12 changes: 12 additions & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# See https://pre-commit.com for more information
# See https://pre-commit.com/hooks.html for more hooks
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.6.0
hooks:
- id: end-of-file-fixer
- id: check-yaml
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.4
hooks:
- id: gitleaks
6 changes: 6 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -179,3 +179,9 @@ Consult the [Gooey API documentation](https://api.gooey.ai/docs#tag/Copilot-Inte
- `index.html` + `src/main.tsx`: Entry point for the development React app.
- `src/lib.tsx`: Library entry point for the widget.
- `vite.config.js`: Configuration for bundling the library.

### 💣 Secret Scanning

Gitleaks will automatically run pre-commit (see `pre-commit-config.yaml` for details) to prevent commits with secrets in the first place. To test this without committing, run `pre-commit` from the terminal. To skip this check, use `SKIP=gitleaks git commit -m "message"` to commit changes. Preferably, label false positives with the `#gitleaks:allow` comment instead of skipping the check.

Gitleaks will also run in the CI pipeline as a GitHub action on push and pull request (can also be manually triggered in the actions tab on GitHub). To update the baseline of ignored secrets, run `python ./scripts/create_gitleaks_baseline.py` from the venv and commit the changes to `.gitleaksignore`.
18 changes: 18 additions & 0 deletions scripts/create_gitleaks_baseline.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
#!/usr/bin/env python3

import subprocess
import json

# create a baseline file
subprocess.run(
["gitleaks", "detect", "--report-path", "gitleaks-baseline.json"],
)

# parse the baseline file
with open("gitleaks-baseline.json") as f:
baseline = json.load(f)

# output list of "Fingerprint"s to .gitleaksignore
with open(".gitleaksignore", "w") as f:
for leak in baseline:
f.write(leak["Fingerprint"] + "\n")

0 comments on commit d403045

Please sign in to comment.