From e4d1c90177f3a90537927cb68895627722635e2a Mon Sep 17 00:00:00 2001
From: Alexander Metzger <alexander.le@outlook.dk>
Date: Thu, 8 Aug 2024 14:35:38 -0700
Subject: [PATCH] Gitleaks - Secret Scanning

---
 .github/workflows/gitleaks.yml      | 15 +++++++++
 .gitignore                          |  3 ++
 .gitleaksignore                     | 50 +++++++++++++++++++++++++++++
 .pre-commit-config.yaml             | 12 +++++++
 README.md                           |  6 ++++
 scripts/create_gitleaks_baseline.py | 18 +++++++++++
 6 files changed, 104 insertions(+)
 create mode 100644 .github/workflows/gitleaks.yml
 create mode 100644 .gitleaksignore
 create mode 100644 .pre-commit-config.yaml
 create mode 100644 scripts/create_gitleaks_baseline.py

diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
new file mode 100644
index 0000000..79ffcb1
--- /dev/null
+++ b/.github/workflows/gitleaks.yml
@@ -0,0 +1,15 @@
+name: gitleaks
+on: [pull_request, push, workflow_dispatch]
+jobs:
+  scan:
+    name: gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}
+          GITLEAKS_NOTIFY_USER_LIST: '@sandergi'
diff --git a/.gitignore b/.gitignore
index 3cb1ac2..e7af657 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,3 +17,6 @@ yarn-error.log*
 
 # Local Netlify folder
 .netlify
+
+# Gitleaks
+gitleaks-baseline.json
diff --git a/.gitleaksignore b/.gitleaksignore
new file mode 100644
index 0000000..b631eef
--- /dev/null
+++ b/.gitleaksignore
@@ -0,0 +1,50 @@
+ef8fff071debf268a39a1f1b77d90fb23ae59fbd:dist/lib.js:aws-access-token:104
+6313fb03fe200069806a3b894b7427f2bcfb56cd:dist/lib.js:aws-access-token:104
+bcac0e1cf73f2dd06cfa383a8f372170c7921702:dist/lib.js:aws-access-token:104
+94d515f3b4ff2a2555cbb50191530820439e4b31:dist/lib.js:aws-access-token:104
+321f0226b6fbca0aa7e79c813ff0619ce2602925:dist/lib.js:aws-access-token:104
+6a00cd357cc97456876c11c1f71c983f7c5b7526:dist/lib.js:aws-access-token:104
+530c8e8598f8f015701a792023f88d26177ccd63:dist/lib.js:aws-access-token:104
+aca88080c4a04c1bd580e66da2ce8074a6c9f529:dist/lib.js:aws-access-token:104
+578e79faa77bfa8e64e905bb5bd244f193e539b4:dist/lib.js:aws-access-token:104
+efeedce217efcb3b729057385e30644f35f66bf2:dist/lib.js:aws-access-token:104
+d67b3fc1aedb30b5f5a61e7e04519aa23736deb8:dist/lib.js:aws-access-token:104
+476948e4ad7cac02610332d6688ec3419a936288:dist/lib.js:aws-access-token:104
+4659f0a83d8c607a2d74260ce40efe7bfa5e177a:dist/lib.js:aws-access-token:104
+671d458f95a1d1e13bb891741c9ddc1cd3a08144:dist/lib.js:aws-access-token:104
+7d393325a650a28db509393fcdf580f6988683c5:dist/lib.js:aws-access-token:104
+21b58e963d246dcc84e852f52ec5e29b724c957e:dist/lib.js:aws-access-token:104
+25ff43ff85c90e60dac7dd98d262107faaa004e6:dist/lib.js:aws-access-token:104
+d77a616a146e5a03f7a9c17bd4ac080ca3a60179:dist/lib.js:aws-access-token:104
+a2e43de1481998f802917a862edfa85a4cf52ac7:dist/lib.js:aws-access-token:104
+381328301024a4c006ba6f896b2d875976a791ee:dist/lib.js:aws-access-token:104
+1e7ab035b763d29f3e0122e4bf19fb2b27f96813:dist/lib.js:aws-access-token:104
+b2481c881ecde0048e482b36c5528b08b0f448ed:dist/lib.js:aws-access-token:104
+144a2eb152d157ca00ba4f5e16e83d18606b43f9:dist/lib.js:aws-access-token:104
+adca3148d6136ef9ba83171b25cd63501eb19392:dist/lib.js:aws-access-token:104
+f5e7f4d1d2e7d292c046f76862f554a98d03058f:dist/lib.js:aws-access-token:104
+c845fda40084a5dcdd6bab4045db8ae0cbe4d31a:dist/lib.js:aws-access-token:104
+2374bad5f961a770bf3a74002f6c0890e3224a16:dist/lib.js:aws-access-token:104
+95c375fd6d5cb38e5815563db507c73dd5c159a8:dist/lib.js:aws-access-token:104
+96873757c6c85ef767694b9279410a5033870dfc:dist/lib.js:aws-access-token:104
+79c0eb05688081cc1bc9a0496bcc12f98ee30d8d:dist/lib.js:aws-access-token:45
+740050b6c15f3cb15f3130f9aee5c6ec346bccc3:dist/lib.js:aws-access-token:45
+d837e76993d2156cbced4a95d5a53aa8d5b7fcba:dist/lib.js:aws-access-token:45
+69b54014d0d1847fb100b3b6ed12acf052710d7a:dist/lib.js:aws-access-token:1
+f65e961f229a7090c999fcaff9ca1e467b48fae6:dist/lib.js:aws-access-token:1
+e74ce3482a2aec6c04747a3bc8855a09894933e9:dist/style.css:aws-access-token:1
+1f81fadccea4cb6ef2d8b7182a6a5e4089ddf78b:dist/style.css:aws-access-token:1
+3a8de4e8ea9daadc26d4dd6346eb677c8879856b:dist/style.css:aws-access-token:1
+5a7ffd250de3f3f1b713be30f2d23d2d8f041cc1:dist/style.css:aws-access-token:1
+3a1c25ba03ca85942dbd7d4ebc75be66f0e2cf9e:dist/style.css:aws-access-token:1
+2f4ce49db3de71b7a1f08173cbfdf708daf91093:test-site/index.html:generic-api-key:15
+19b4ca3823e03e09e92c2d6d66e973b7a2e17373:.env:generic-api-key:1
+5e8411da6cbea8a9b57062f82c702df484fb9726:dist/style.css:aws-access-token:1
+19b4ca3823e03e09e92c2d6d66e973b7a2e17373:test-site/index.html:generic-api-key:15
+830440f89d95963c409891be64642892b1268aa5:dist/style.css:aws-access-token:1
+ff9c85bd7325e2eff920032d379e29d3ce325060:dist/style.css:aws-access-token:1
+3a92e5782b5f334271b4794fb90120171be2b506:dist/style.css:aws-access-token:1
+d0daabfed0e29ab80ba8b3af3be407bd89feb2d6:dist/style.css:aws-access-token:1
+82a1a1ec7ccf34652217e2dd9125f462844ea17a:dist/style.css:aws-access-token:1
+fb32f24aac5406c0b07a0c01de0f3f9886ead2f8:dist/style.css:aws-access-token:1
+cbdb41c6136a71d789791b3e7e83eb12551fc8f6:dist/style.css:aws-access-token:1
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..0c96d1a
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,12 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+    -   id: end-of-file-fixer
+    -   id: check-yaml
+-   repo: https://github.com/gitleaks/gitleaks
+    rev: v8.18.4
+    hooks:
+    -   id: gitleaks
diff --git a/README.md b/README.md
index d26917f..b6b03d0 100644
--- a/README.md
+++ b/README.md
@@ -179,3 +179,9 @@ Consult the [Gooey API documentation](https://api.gooey.ai/docs#tag/Copilot-Inte
 - `index.html` + `src/main.tsx`: Entry point for the development React app.
 - `src/lib.tsx`: Library entry point for the widget.
 - `vite.config.js`: Configuration for bundling the library.
+
+### 💣 Secret Scanning
+
+Gitleaks will automatically run pre-commit (see `pre-commit-config.yaml` for details) to prevent commits with secrets in the first place. To test this without committing, run `pre-commit` from the terminal. To skip this check, use `SKIP=gitleaks git commit -m "message"` to commit changes. Preferably, label false positives with the `#gitleaks:allow` comment instead of skipping the check.
+
+Gitleaks will also run in the CI pipeline as a GitHub action on push and pull request (can also be manually triggered in the actions tab on GitHub). To update the baseline of ignored secrets, run `python ./scripts/create_gitleaks_baseline.py` from the venv and commit the changes to `.gitleaksignore`.
diff --git a/scripts/create_gitleaks_baseline.py b/scripts/create_gitleaks_baseline.py
new file mode 100644
index 0000000..8e59791
--- /dev/null
+++ b/scripts/create_gitleaks_baseline.py
@@ -0,0 +1,18 @@
+#!/usr/bin/env python3
+
+import subprocess
+import json
+
+# create a baseline file
+subprocess.run(
+    ["gitleaks", "detect", "--report-path", "gitleaks-baseline.json"],
+)
+
+# parse the baseline file
+with open("gitleaks-baseline.json") as f:
+    baseline = json.load(f)
+
+# output list of "Fingerprint"s to .gitleaksignore
+with open(".gitleaksignore", "w") as f:
+    for leak in baseline:
+        f.write(leak["Fingerprint"] + "\n")