From 2dc7da92c8081159fafb2d0458217d7a6e1911a9 Mon Sep 17 00:00:00 2001 From: Philip Gichuhi Date: Tue, 13 Aug 2024 17:20:33 +0300 Subject: [PATCH] Update secrets scanning workflow --- .github/workflows/gradle-build.yml | 6 +- .github/workflows/preview-and-release.yml | 12 +- .secrets.baseline | 282 +++++++++++----------- 3 files changed, 151 insertions(+), 149 deletions(-) diff --git a/.github/workflows/gradle-build.yml b/.github/workflows/gradle-build.yml index 0ebbfda7fc2..d200426957f 100644 --- a/.github/workflows/gradle-build.yml +++ b/.github/workflows/gradle-build.yml @@ -18,8 +18,10 @@ jobs: java-version: 21 distribution: 'temurin' cache: gradle - - name: Detect Secrets - uses: RobertFischer/detect-secrets-action@v2.0.0 + - name: Detect secrets + run: | + pip install detect-secrets + git ls-files -z | xargs -0 detect-secrets-hook --baseline .secrets.baseline - name: Grant Execute permission for gradlew run: chmod +x gradlew - name: Build with Gradle diff --git a/.github/workflows/preview-and-release.yml b/.github/workflows/preview-and-release.yml index b9c42ffd24a..58b67582fa2 100644 --- a/.github/workflows/preview-and-release.yml +++ b/.github/workflows/preview-and-release.yml @@ -37,8 +37,10 @@ jobs: java-version: ${{ env.JAVA_VERSION }} distribution: ${{ env.JAVA_DISTRIBUTION}} cache: gradle - - name: Easy detect-secrets - uses: RobertFischer/detect-secrets-action@v2.0.0 + - name: Detect secrets + run: | + pip install detect-secrets + git ls-files -z | xargs -0 detect-secrets-hook --baseline .secrets.baseline - name: Download File run: .\scripts\decodeAndWrite.ps1 -encodedValue $env:ENCODED_VALUE -outputPath $env:OUTPUT_PATH shell: pwsh @@ -70,8 +72,10 @@ jobs: java-version: ${{ env.JAVA_VERSION }} distribution: ${{ env.JAVA_DISTRIBUTION}} cache: gradle - - name: Easy detect-secrets - uses: RobertFischer/detect-secrets-action@v2.0.0 + - name: Detect secrets + run: | + pip install detect-secrets + git ls-files -z | xargs -0 detect-secrets-hook --baseline .secrets.baseline - name: Download File run: .\scripts\decodeAndWrite.ps1 -encodedValue $env:ENCODED_VALUE -outputPath $env:OUTPUT_PATH shell: pwsh diff --git a/.secrets.baseline b/.secrets.baseline index cd595090cdf..6c35446437b 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -1,143 +1,139 @@ -{ - "version": "1.5.0", - "plugins_used": [ - { - "name": "ArtifactoryDetector" - }, - { - "name": "AWSKeyDetector" - }, - { - "name": "AzureStorageKeyDetector" - }, - { - "name": "Base64HighEntropyString", - "limit": 4.5 - }, - { - "name": "BasicAuthDetector" - }, - { - "name": "CloudantDetector" - }, - { - "name": "DiscordBotTokenDetector" - }, - { - "name": "GitHubTokenDetector" - }, - { - "name": "GitLabTokenDetector" - }, - { - "name": "HexHighEntropyString", - "limit": 3.0 - }, - { - "name": "IbmCloudIamDetector" - }, - { - "name": "IbmCosHmacDetector" - }, - { - "name": "IPPublicDetector" - }, - { - "name": "JwtTokenDetector" - }, - { - "name": "KeywordDetector", - "keyword_exclude": "" - }, - { - "name": "MailchimpDetector" - }, - { - "name": "NpmDetector" - }, - { - "name": "OpenAIDetector" - }, - { - "name": "PrivateKeyDetector" - }, - { - "name": "PypiTokenDetector" - }, - { - "name": "SendGridDetector" - }, - { - "name": "SlackDetector" - }, - { - "name": "SoftlayerDetector" - }, - { - "name": "SquareOAuthDetector" - }, - { - "name": "StripeDetector" - }, - { - "name": "TelegramBotTokenDetector" - }, - { - "name": "TwilioKeyDetector" - } - ], - "filters_used": [ - { - "path": "detect_secrets.filters.allowlist.is_line_allowlisted" - }, - { - "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".secrets.baseline" - }, - { - "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", - "min_level": 2 - }, - { - "path": "detect_secrets.filters.heuristic.is_indirect_reference" - }, - { - "path": "detect_secrets.filters.heuristic.is_likely_id_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_lock_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_potential_uuid" - }, - { - "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" - }, - { - "path": "detect_secrets.filters.heuristic.is_sequential_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_swagger_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_templated_secret" - }, - { - "path": "detect_secrets.filters.HexHighEntropyString.should_exclude_file", - "pattern": [ - "release-please-config.json" - ] - }, - { - "path": "detect_secrets.filters.regex.should_exclude_file", - "pattern": [ - "release-please-config.json" - ] - } - ], - "results": {}, - "generated_at": "2024-05-08T12:56:29Z" -} +{ + "version": "1.5.0", + "plugins_used": [ + { + "name": "ArtifactoryDetector" + }, + { + "name": "AWSKeyDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "name": "Base64HighEntropyString", + "limit": 4.5 + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "CloudantDetector" + }, + { + "name": "DiscordBotTokenDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "name": "GitLabTokenDetector" + }, + { + "name": "HexHighEntropyString", + "limit": 3.0 + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "IPPublicDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "name": "KeywordDetector", + "keyword_exclude": "" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "OpenAIDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "PypiTokenDetector" + }, + { + "name": "SendGridDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TelegramBotTokenDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "filters_used": [ + { + "path": "detect_secrets.filters.allowlist.is_line_allowlisted" + }, + { + "path": "detect_secrets.filters.common.is_baseline_file", + "filename": ".secrets.baseline" + }, + { + "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", + "min_level": 2 + }, + { + "path": "detect_secrets.filters.heuristic.is_indirect_reference" + }, + { + "path": "detect_secrets.filters.heuristic.is_likely_id_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_lock_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_potential_uuid" + }, + { + "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" + }, + { + "path": "detect_secrets.filters.heuristic.is_sequential_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_swagger_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_templated_secret" + }, + { + "path": "detect_secrets.filters.regex.should_exclude_file", + "pattern": [ + "src/main/java/com/microsoft/graph/generated/.*", + "release-please-config.json", + "kiota-lock.json" + ] + } + ], + "results": {}, + "generated_at": "2024-08-13T14:19:43Z" +}