Merge pull request #79 from Ouranosinc/fix-secrets-scan

Ouranosinc · Dec 18, 2024 · e0ac07d · e0ac07d
2 parents 5088ed4 + 21d51d6
commit e0ac07d
Show file tree

Hide file tree

Showing 2 changed files with 118 additions and 18 deletions.
diff --git a/.github/.gitleaks.toml b/.github/.gitleaks.toml
@@ -0,0 +1,117 @@
+# Original:
+#   https://raw.githubusercontent.com/zricethezav/gitleaks-action/master/.gitleaks.toml
+title = "gitleaks config"
+[[rules]]
+	description = "AWS Manager ID"
+	regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
+	tags = ["key", "AWS"]
+[[rules]]
+	description = "AWS Secret Key"
+	regex = '''(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]'''
+	tags = ["key", "AWS"]
+[[rules]]
+	description = "AWS MWS key"
+	regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'''
+	tags = ["key", "AWS", "MWS"]
+[[rules]]
+	description = "Facebook Secret Key"
+	regex = '''(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]'''
+	tags = ["key", "Facebook"]
+[[rules]]
+	description = "Facebook Client ID"
+	regex = '''(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]'''
+	tags = ["key", "Facebook"]
+[[rules]]
+	description = "Twitter Secret Key"
+	regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{35,44}['\"]'''
+	tags = ["key", "Twitter"]
+[[rules]]
+	description = "Twitter Client ID"
+	regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{18,25}['\"]'''
+	tags = ["client", "Twitter"]
+[[rules]]
+	description = "Github"
+	regex = '''(?i)github(.{0,20})?(?-i)['\"][0-9a-zA-Z]{35,40}['\"]'''
+	tags = ["key", "Github"]
+[[rules]]
+	description = "LinkedIn Client ID"
+	regex = '''(?i)linkedin(.{0,20})?(?-i)['\"][0-9a-z]{12}['\"]'''
+	tags = ["client", "LinkedIn"]
+[[rules]]
+	description = "LinkedIn Secret Key"
+	regex = '''(?i)linkedin(.{0,20})?['\"][0-9a-z]{16}['\"]'''
+	tags = ["secret", "LinkedIn"]
+[[rules]]
+	description = "Slack"
+	regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?'''
+	tags = ["key", "Slack"]
+[[rules]]
+	description = "Asymmetric Private Key"
+	regex = '''-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----'''
+	tags = ["key", "AsymmetricPrivateKey"]
+[[rules]]
+	description = "Generic Credential"
+	regex = '''(?i)(api_key|apikey|secret)(.{0,20})?['|"][0-9a-zA-Z]{16,45}['|"]'''
+	tags = ["key", "API", "generic"]
+	[rules.allowlist]
+        description = "ignore old commit secret (v0.1.0)"
+        commits = ["11cdaf9bb4ffa9eb060ae58dd81268012fd60c28"]
+        paths = ['''magpie/security.py''']
+        regexes = ['''randomsecretstring''']
+[[rules]]
+	description = "Google API key"
+	regex = '''AIza[0-9A-Za-z\\-_]{35}'''
+	tags = ["key", "Google"]
+[[rules]]
+	description = "Heroku API key"
+	regex = '''(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]'''
+	tags = ["key", "Heroku"]
+[[rules]]
+	description = "MailChimp API key"
+	regex = '''(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]'''
+	tags = ["key", "Mailchimp"]
+[[rules]]
+	description = "Mailgun API key"
+	regex = '''(?i)(mailgun|mg)(.{0,20})?['"][0-9a-z]{32}['"]'''
+	tags = ["key", "Mailgun"]
+[[rules]]
+	description = "PayPal Braintree access token"
+	regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}'''
+	tags = ["key", "Paypal"]
+[[rules]]
+	description = "Picatic API key"
+	regex = '''sk_live_[0-9a-z]{32}'''
+	tags = ["key", "Picatic"]
+[[rules]]
+	description = "SendGrid API Key"
+	regex = '''SG\.[\w_]{16,32}\.[\w_]{16,64}'''
+	tags = ["key", "SendGrid"]
+[[rules]]
+	description = "Slack Webhook"
+	regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}'''
+	tags = ["key", "slack"]
+[[rules]]
+	description = "Stripe API key"
+	regex = '''(?i)stripe(.{0,20})?['\"][sk|rk]_live_[0-9a-zA-Z]{24}'''
+	tags = ["key", "Stripe"]
+[[rules]]
+	description = "Square access token"
+	regex = '''sq0atp-[0-9A-Za-z\-_]{22}'''
+	tags = ["key", "square"]
+[[rules]]
+	description = "Square OAuth secret"
+	regex = '''sq0csp-[0-9A-Za-z\\-_]{43}'''
+	tags = ["key", "square"]
+[[rules]]
+	description = "Twilio API key"
+	regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]'''
+	tags = ["key", "twilio"]
+[allowlist]
+    description = "Allowlisted files"
+    files = [
+    # original contents
+    '''^\.?gitleaks.toml$''',
+    '''(.*?)(jpg|gif|doc|pdf|bin)$''',
+    '''(go.mod|go.sum)$''',
+    # old commit files with false positives or dummy data
+    '''.+(.js.map)$''']
diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
@@ -36,22 +36,5 @@ jobs:
           fetch-depth: '0'
       - name: Install dependencies
         run: docker pull zricethezav/gitleaks
-      #- run: |
-      #    docker run --name=gitleaks --volume $GITHUB_WORKSPACE:/workspace/ \
-      #    -v --exclude-forks --redact --threads=1 --branch=$GITHUB_REF --repo-path=/workspace/
-      #- run: docker run --rm --name=gitleaks -v /tmp/:/code/ zricethezav/gitleaks -v --repo-path=/code/gitleaks
-      # @todo command is failing
-      #- run: gitleaks -v --exclude-forks --redact --threads=1 --branch=$GITHUB_REF --repo-path=$GITHUB_WORKSPACE
 
-      # FIXME: revert to original repo when (if) they ever consider the fix
-      #     https://github.com/eshork/gitleaks-action/pull/4
-      #     https://github.com/eshork/gitleaks-action/issues/3
-      - uses: fmigneault/gitleaks-action@master
-      #- uses: eshork/[email protected]
-
-      # NOTE:
-      #   does the same as gitleaks-action, but over the whole git history + posts found problem on issue/PR comments
-      #   disable as it causes old (fixed) problems to be detected
-      #- uses: CySeq/gitcret@v2
-      #  env:
-      #    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - uses: gitleaks/[email protected]  # see: https://github.com/gitleaks/gitleaks-action/issues/57