Gitleaks - Secret Scanning

GooeyAI · Aug 8, 2024 · 78f0141 · 78f0141
1 parent 29829a9
commit 78f0141
Show file tree

Hide file tree

Showing 6 changed files with 55 additions and 2 deletions.
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
@@ -0,0 +1,15 @@
+name: gitleaks
+on: [pull_request, push, workflow_dispatch]
+jobs:
+  scan:
+    name: gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}
+          GITLEAKS_NOTIFY_USER_LIST: '@sandergi'
diff --git a/.gitignore b/.gitignore
@@ -8,7 +8,8 @@ node_modules
 .idea
 .sentryclirc
 
-*.json# Created by https://www.toptal.com/developers/gitignore/api/python,macOS
+*.json
+# Created by https://www.toptal.com/developers/gitignore/api/python,macOS
 # Edit at https://www.toptal.com/developers/gitignore?templates=python,macOS
 
 ### macOS ###
@@ -18,7 +19,8 @@ node_modules
 .LSOverride
 
 # Icon must end with two \r
-Icon
+Icon
+
 
 # Thumbnails
 ._*

diff --git a/.gitleaksignore b/.gitleaksignore
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,12 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+-   repo: /~https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+    -   id: end-of-file-fixer
+    -   id: check-yaml
+-   repo: /~https://github.com/gitleaks/gitleaks
+    rev: v8.18.4
+    hooks:
+    -   id: gitleaks
diff --git a/README.md b/README.md
@@ -267,3 +267,9 @@ def upload():
 ```
 
 <img width="636" alt="image" src="/~https://github.com/user-attachments/assets/c3a4aaad-779d-44ef-9a2e-2d76445fa5f4">
+
+### 💣 Secret Scanning
+
+Gitleaks will automatically run pre-commit (see `pre-commit-config.yaml` for details) to prevent commits with secrets in the first place. To test this without committing, run `pre-commit` from the terminal. To skip this check, use `SKIP=gitleaks git commit -m "message"` to commit changes. Preferably, label false positives with the `#gitleaks:allow` comment instead of skipping the check.
+
+Gitleaks will also run in the CI pipeline as a GitHub action on push and pull request (can also be manually triggered in the actions tab on GitHub). To update the baseline of ignored secrets, run `python ./scripts/create_gitleaks_baseline.py` from the venv and commit the changes to `.gitleaksignore`.
diff --git a/scripts/create_gitleaks_baseline.py b/scripts/create_gitleaks_baseline.py
@@ -0,0 +1,18 @@
+#!/usr/bin/env python3
+
+import subprocess
+import json
+
+# create a baseline file
+subprocess.run(
+    ["gitleaks", "detect", "--report-path", "gitleaks-baseline.json"],
+)
+
+# parse the baseline file
+with open("gitleaks-baseline.json") as f:
+    baseline = json.load(f)
+
+# output list of "Fingerprint"s to .gitleaksignore
+with open(".gitleaksignore", "w") as f:
+    for leak in baseline:
+        f.write(leak["Fingerprint"] + "\n")