Merge pull request #29 from galasa-dev/issue-1884-detect-secrets

added .pre-commit-config.yaml file to trigger detect-secrets
galasa-dev · Jun 5, 2024 · 3599566 · 3599566
2 parents 9c97dbe + 147821a
commit 3599566
Show file tree

Hide file tree

Showing 3 changed files with 114 additions and 2 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,6 @@
+repos:
+  - repo: https://github.com/ibm/detect-secrets
+    rev: 0.13.1+ibm.62.dss
+    hooks:
+      - id: detect-secrets # pragma: whitelist secret
+        args: [--baseline, .secrets.baseline, --use-all-plugins, --fail-on-unaudited]
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -0,0 +1,106 @@
+{
+  "exclude": {
+    "files": "^.secrets.baseline$",
+    "lines": null
+  },
+  "generated_at": "2024-06-04T15:10:53Z",
+  "plugins_used": [
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "base64_limit": 4.5,
+      "name": "Base64HighEntropyString"
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "BoxDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "ghe_instance": "github.ibm.com",
+      "name": "GheDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "hex_limit": 3,
+      "name": "HexHighEntropyString"
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "keyword_exclude": null,
+      "name": "KeywordDetector"
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "results": {
+    "README.md": [
+      {
+        "hashed_secret": "17407b9f6b814464de51ccc98f24c5a54163c6f2",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 105,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ],
+    "charts/ecosystem/templates/dex-config.yaml": [
+      {
+        "hashed_secret": "d2e2ab0f407e4ee3cf2ab87d61c31b25a74085e5",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 26,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ]
+  },
+  "version": "0.13.1+ibm.62.dss",
+  "word_list": {
+    "file": null,
+    "hash": null
+  }
+}
diff --git a/charts/ecosystem/templates/couchdb-secret.yaml b/charts/ecosystem/templates/couchdb-secret.yaml
@@ -5,7 +5,7 @@
 {{- $existingSecret := (lookup "v1" "Secret" .Release.Namespace $couchdbSecretName) }}
 {{- if $existingSecret }}
 {{- $user = printf (index $existingSecret.data "COUCHDB_USER") | b64dec }}
-{{- $password = printf (index $existingSecret.data "COUCHDB_PASSWORD") | b64dec }}
+{{- $password = printf (index $existingSecret.data "COUCHDB_PASSWORD") | b64dec }} #Not a secret but logic for a kube secret #pragma: allowlist secret 
 {{- end -}}
 
 
@@ -16,5 +16,5 @@ metadata:
 type: Opaque
 stringData:
   COUCHDB_USER: "{{ $user }}"
-  COUCHDB_PASSWORD: "{{ $password }}"
+  COUCHDB_PASSWORD: "{{ $password }}" #Not a secret but logic for a kube secret #pragma: allowlist secret 
   GALASA_RAS_TOKEN: "{{ printf "%s:%s" $user $password | b64enc }}"