Skip to content

Commit

Permalink
Run scan secrets as CLI or Docker
Browse files Browse the repository at this point in the history
  • Loading branch information
stefaniuk committed Oct 9, 2023
1 parent 7b94f14 commit f8b9e84
Show file tree
Hide file tree
Showing 3 changed files with 58 additions and 20 deletions.
3 changes: 3 additions & 0 deletions .tool-versions
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ pre-commit 3.4.0
# ==============================================================================
# The section below is reserved for Docker image versions.

# gitleaks, SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks
# docker/ghcr.io/gitleaks/gitleaks v8.18.0@sha256:fd2b5cab12b563d2cc538b14631764a1c25577780e3b7dba71657d58da45d9d9

# terraform, SEE: https://hub.docker.com/r/hashicorp/terraform/tags
# docker/hashicorp/terraform 1.5.6@sha256:180a7efa983386a27b43657ed610e9deed9e6c3848d54f9ea9b6cb8a5c8c25f5

Expand Down
4 changes: 2 additions & 2 deletions scripts/docker/docker.lib.sh
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,7 @@ function docker-get-image-version-and-pull() {
local versions_file="${TOOL_VERSIONS:=$(git rev-parse --show-toplevel)/.tool-versions}"
local version="latest"
if [ -f "$versions_file" ]; then
line=$(grep "docker/${name} " "$versions_file" | sed "s/^#\s*//; s/\s*#.*$//" | grep "${match_version:-'.*'}")
line=$(grep "docker/${name} " "$versions_file" | sed "s/^#\s*//; s/\s*#.*$//" | grep "${match_version:-".*"}")
[ -n "$line" ] && version=$(echo "$line" | awk '{print $2}')
fi

Expand All @@ -177,7 +177,7 @@ function docker-get-image-version-and-pull() {
local digest="$(echo "$version" | sed 's/^.*@//')"

# Check if the image exists locally already
if ! docker images | awk '{ print $1 ":" $2 }' | grep "^${name}:${tag}$"; then
if ! docker images | awk '{ print $1 ":" $2 }' | grep -q "^${name}:${tag}$"; then
if [ "$digest" != "latest" ]; then
# Pull image by the digest sha256 and tag it
docker pull \
Expand Down
71 changes: 53 additions & 18 deletions scripts/githooks/scan-secrets.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,15 @@

set -euo pipefail

# Pre-commit git hook to scan for secrets hardcoded in the codebase.
# Pre-commit git hook to scan for secrets hard-coded in the codebase.
#
# Usage:
# $ check={whole-history,last-commit,staged-changes} ./scan-secrets.sh
# $ ./scan-secrets.sh
#
# Options:
# VERBOSE=true # Show all the executed commands, default is `false`
# check={whole-history,last-commit,staged-changes} # Type of the check to run, default is `staged-changes`
# VERBOSE=true # Show all the executed commands, default is `false`
# FORCE_USE_DOCKER=true # If set to true the command is run in a Docker container, default is 'false'
#
# Exit codes:
# 0 - No leaks present
Expand All @@ -19,39 +21,72 @@ set -euo pipefail

# ==============================================================================

# SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks, use the `linux/amd64` os/arch
image_version=v8.18.0@sha256:fd2b5cab12b563d2cc538b14631764a1c25577780e3b7dba71657d58da45d9d9

# ==============================================================================

function main() {

cd "$(git rev-parse --show-toplevel)"

if command -v gitleaks > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then
dir="$PWD"
cmd="$(get-cmd-to-run)" cli-run-gitleaks
else
dir="/workdir"
cmd="$(get-cmd-to-run)" docker-run-gitleaks
fi
}

# Get Gitleaks command to execute and configuration.
# Arguments (provided as environment variables):
# dir=[project's top-level directory]
function get-cmd-to-run() {

check=${check:-staged-changes}
case $check in
"whole-history")
cmd="detect --source /scan --verbose --redact"
cmd="detect --source $dir --verbose --redact"
;;
"last-commit")
cmd="detect --source /scan --verbose --redact --log-opts -1"
cmd="detect --source $dir --verbose --redact --log-opts -1"
;;
"staged-changes")
cmd="protect --source /scan --verbose --staged"
cmd="protect --source $dir --verbose --staged"
;;
esac
# Include base line file if it exists
if [ -f "$PWD/scripts/config/.gitleaks-baseline.json" ]; then
cmd="$cmd --baseline-path /scan/scripts/config/.gitleaks-baseline.json"
if [ -f "$dir/scripts/config/.gitleaks-baseline.json" ]; then
cmd="$cmd --baseline-path $dir/scripts/config/.gitleaks-baseline.json"
fi
# Include the config file
cmd="$cmd --config $dir/scripts/config/gitleaks.toml"

echo "$cmd"
}

# Run Gitleaks natively.
# Arguments (provided as environment variables):
# cmd=[command to run]
function cli-run-gitleaks() {

# shellcheck disable=SC2086
gitleaks $cmd
}

# Run Gitleaks in a Docker container.
# Arguments (provided as environment variables):
# cmd=[command to run]
# dir=[directory to mount as a volume]
function docker-run-gitleaks() {

# shellcheck disable=SC1091
source ./scripts/docker/docker.lib.sh

# shellcheck disable=SC2155
local image=$(name=ghcr.io/gitleaks/gitleaks docker-get-image-version-and-pull)
# shellcheck disable=SC2086
docker run --rm --platform linux/amd64 \
--volume "$PWD":/scan \
--workdir /scan \
ghcr.io/gitleaks/gitleaks:$image_version \
$cmd \
--config /scan/scripts/config/gitleaks.toml
--volume "$PWD:$dir" \
--workdir $dir \
"$image" \
$cmd
}

# ==============================================================================
Expand Down

0 comments on commit f8b9e84

Please sign in to comment.