From 2db920b0f4521296cb3bd27496dcc00471815964 Mon Sep 17 00:00:00 2001 From: Carlo Costino Date: Mon, 20 May 2024 10:57:27 -0400 Subject: [PATCH 1/5] Additional pre-commit hook testing Signed-off-by: Carlo Costino --- .pre-commit-config.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 057c1ec16..f968c06c0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -2,7 +2,7 @@ # See https://pre-commit.com/hooks.html for more hooks repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v3.2.0 + rev: v4.6.0 hooks: - id: trailing-whitespace - id: end-of-file-fixer @@ -11,3 +11,12 @@ repos: - id: debug-statements - id: check-merge-conflict - id: check-toml + - id: check-ast + - id: fix-byte-order-marker + - id: check-merge-conflict + - id: debug-statements + - id: detect-aws-credentials + args: [--allow-missing-credentials] + - id: detect-private-key + - id: end-of-file-fixer + - id: mixed-line-ending From ff9c8678bb2574ff6509ae0eb3bebaab5ca213c6 Mon Sep 17 00:00:00 2001 From: Carlo Costino Date: Mon, 20 May 2024 11:16:37 -0400 Subject: [PATCH 2/5] Added detect-secrets hook Signed-off-by: Carlo Costino --- .pre-commit-config.yaml | 5 +++++ poetry.lock | 21 ++++++++++++++++++++- pyproject.toml | 1 + 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f968c06c0..0f3c83a85 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -20,3 +20,8 @@ repos: - id: detect-private-key - id: end-of-file-fixer - id: mixed-line-ending +- repo: https://github.com/Yelp/detect-secrets + rev: v1.5.0 + hooks: + - id: detect-secrets + args: ['--baseline', '.secrets.baseline'] diff --git a/poetry.lock b/poetry.lock index 877bd19ca..9eda96438 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1041,6 +1041,25 @@ wrapt = ">=1.10,<2" [package.extras] dev = ["PyTest", "PyTest-Cov", "bump2version (<1)", "sphinx (<2)", "tox"] +[[package]] +name = "detect-secrets" +version = "1.5.0" +description = "Tool for detecting secrets in the codebase" +optional = false +python-versions = "*" +files = [ + {file = "detect_secrets-1.5.0-py3-none-any.whl", hash = "sha256:e24e7b9b5a35048c313e983f76c4bd09dad89f045ff059e354f9943bf45aa060"}, + {file = "detect_secrets-1.5.0.tar.gz", hash = "sha256:6bb46dcc553c10df51475641bb30fd69d25645cc12339e46c824c1e0c388898a"}, +] + +[package.dependencies] +pyyaml = "*" +requests = "*" + +[package.extras] +gibberish = ["gibberish-detector"] +word-list = ["pyahocorasick"] + [[package]] name = "distlib" version = "0.3.8" @@ -4729,4 +4748,4 @@ multidict = ">=4.0" [metadata] lock-version = "2.0" python-versions = "^3.12.2" -content-hash = "a2dbec1a5e78a8082150fd0951a67cde6f133f3d7b600a8303f7075498e07f8d" +content-hash = "426ae986eeb1ef7f25aecdb3c6e092edb27be70ce32b5ddf3f616d9d607e95f0" diff --git a/pyproject.toml b/pyproject.toml index e40d05290..23f1407ac 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -105,6 +105,7 @@ requests-mock = "^1.11.0" setuptools = "^69.0.3" sqlalchemy-utils = "^0.41.2" vulture = "^2.10" +detect-secrets = "^1.5.0" [build-system] From 32acf6b694c571cdfa94fc717067ea703408edcd Mon Sep 17 00:00:00 2001 From: Carlo Costino Date: Mon, 20 May 2024 11:34:17 -0400 Subject: [PATCH 3/5] Adjusting baseline file for detect-secrets Signed-off-by: Carlo Costino --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0f3c83a85..f10ade983 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -24,4 +24,4 @@ repos: rev: v1.5.0 hooks: - id: detect-secrets - args: ['--baseline', '.secrets.baseline'] + args: ['--baseline', '.ds.baseline'] From 125ec9e2984b254dead89d81385f0c71020b8053 Mon Sep 17 00:00:00 2001 From: Carlo Costino Date: Mon, 20 May 2024 11:41:12 -0400 Subject: [PATCH 4/5] Adding audited baseline file for detect-secrets Signed-off-by: Carlo Costino --- .ds.baseline | 388 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 388 insertions(+) create mode 100644 .ds.baseline diff --git a/.ds.baseline b/.ds.baseline new file mode 100644 index 000000000..4fba5f2ce --- /dev/null +++ b/.ds.baseline @@ -0,0 +1,388 @@ +{ + "version": "1.5.0", + "plugins_used": [ + { + "name": "ArtifactoryDetector" + }, + { + "name": "AWSKeyDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "name": "Base64HighEntropyString", + "limit": 4.5 + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "CloudantDetector" + }, + { + "name": "DiscordBotTokenDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "name": "GitLabTokenDetector" + }, + { + "name": "HexHighEntropyString", + "limit": 3.0 + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "IPPublicDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "name": "KeywordDetector", + "keyword_exclude": "" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "OpenAIDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "PypiTokenDetector" + }, + { + "name": "SendGridDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TelegramBotTokenDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "filters_used": [ + { + "path": "detect_secrets.filters.allowlist.is_line_allowlisted" + }, + { + "path": "detect_secrets.filters.common.is_baseline_file", + "filename": ".secrets.baseline" + }, + { + "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", + "min_level": 2 + }, + { + "path": "detect_secrets.filters.heuristic.is_indirect_reference" + }, + { + "path": "detect_secrets.filters.heuristic.is_likely_id_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_lock_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_potential_uuid" + }, + { + "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" + }, + { + "path": "detect_secrets.filters.heuristic.is_sequential_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_swagger_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_templated_secret" + } + ], + "results": { + ".github/workflows/checks.yml": [ + { + "type": "Secret Keyword", + "filename": ".github/workflows/checks.yml", + "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "is_verified": false, + "line_number": 27, + "is_secret": false + }, + { + "type": "Basic Auth Credentials", + "filename": ".github/workflows/checks.yml", + "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "is_verified": false, + "line_number": 44, + "is_secret": false + } + ], + ".github/workflows/daily_checks.yml": [ + { + "type": "Secret Keyword", + "filename": ".github/workflows/daily_checks.yml", + "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "is_verified": false, + "line_number": 61, + "is_secret": false + }, + { + "type": "Basic Auth Credentials", + "filename": ".github/workflows/daily_checks.yml", + "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "is_verified": false, + "line_number": 77, + "is_secret": false + } + ], + "app/enums.py": [ + { + "type": "Secret Keyword", + "filename": "app/enums.py", + "hashed_secret": "12322e07b94ee3c7cd65a2952ece441538b53eb3", + "is_verified": false, + "line_number": 123, + "is_secret": false + } + ], + "app/notifications/receive_notifications.py": [ + { + "type": "Base64 High Entropy String", + "filename": "app/notifications/receive_notifications.py", + "hashed_secret": "d70eab08607a4d05faa2d0d6647206599e9abc65", + "is_verified": false, + "line_number": 29, + "is_secret": false + } + ], + "deploy-config/sandbox.yml": [ + { + "type": "Secret Keyword", + "filename": "deploy-config/sandbox.yml", + "hashed_secret": "113151dd10316fcb0d5507b6215d78e2f3fe9e54", + "is_verified": false, + "line_number": 11, + "is_secret": false + } + ], + "sample.env": [ + { + "type": "Basic Auth Credentials", + "filename": "sample.env", + "hashed_secret": "5b98cf4c3d794c8af1fcd7991e89cd4e52fb42a4", + "is_verified": false, + "line_number": 16, + "is_secret": false + } + ], + "tests/app/aws/test_s3.py": [ + { + "type": "Hex High Entropy String", + "filename": "tests/app/aws/test_s3.py", + "hashed_secret": "67a74306b06d0c01624fe0d0249a570f4d093747", + "is_verified": false, + "line_number": 24, + "is_secret": false + } + ], + "tests/app/clients/test_document_download.py": [ + { + "type": "Secret Keyword", + "filename": "tests/app/clients/test_document_download.py", + "hashed_secret": "3acfb2c2b433c0ea7ff107e33df91b18e52f960f", + "is_verified": false, + "line_number": 14, + "is_secret": false + } + ], + "tests/app/clients/test_performance_platform.py": [ + { + "type": "Base64 High Entropy String", + "filename": "tests/app/clients/test_performance_platform.py", + "hashed_secret": "76bb66c38ac4046bf73cd4a2c35a2b0af94aeb61", + "is_verified": false, + "line_number": 84, + "is_secret": false + } + ], + "tests/app/dao/test_services_dao.py": [ + { + "type": "Secret Keyword", + "filename": "tests/app/dao/test_services_dao.py", + "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "is_verified": false, + "line_number": 261, + "is_secret": false + } + ], + "tests/app/dao/test_users_dao.py": [ + { + "type": "Secret Keyword", + "filename": "tests/app/dao/test_users_dao.py", + "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "is_verified": false, + "line_number": 52, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "tests/app/dao/test_users_dao.py", + "hashed_secret": "f2c57870308dc87f432e5912d4de6f8e322721ba", + "is_verified": false, + "line_number": 176, + "is_secret": false + } + ], + "tests/app/db.py": [ + { + "type": "Secret Keyword", + "filename": "tests/app/db.py", + "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "is_verified": false, + "line_number": 87, + "is_secret": false + } + ], + "tests/app/notifications/test_receive_notification.py": [ + { + "type": "Secret Keyword", + "filename": "tests/app/notifications/test_receive_notification.py", + "hashed_secret": "913a73b565c8e2c8ed94497580f619397709b8b6", + "is_verified": false, + "line_number": 24, + "is_secret": false + }, + { + "type": "Base64 High Entropy String", + "filename": "tests/app/notifications/test_receive_notification.py", + "hashed_secret": "d70eab08607a4d05faa2d0d6647206599e9abc65", + "is_verified": false, + "line_number": 54, + "is_secret": false + } + ], + "tests/app/notifications/test_validators.py": [ + { + "type": "Base64 High Entropy String", + "filename": "tests/app/notifications/test_validators.py", + "hashed_secret": "6c1a8443963d02d13ffe575a71abe19ea731fb66", + "is_verified": false, + "line_number": 768, + "is_secret": false + } + ], + "tests/app/service/test_rest.py": [ + { + "type": "Secret Keyword", + "filename": "tests/app/service/test_rest.py", + "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "is_verified": false, + "line_number": 1274, + "is_secret": false + } + ], + "tests/app/test_cloudfoundry_config.py": [ + { + "type": "Secret Keyword", + "filename": "tests/app/test_cloudfoundry_config.py", + "hashed_secret": "e5e178db7317356946d13e5d2da037d39ac61c71", + "is_verified": false, + "line_number": 12, + "is_secret": false + }, + { + "type": "Basic Auth Credentials", + "filename": "tests/app/test_cloudfoundry_config.py", + "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "is_verified": false, + "line_number": 14, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "tests/app/test_cloudfoundry_config.py", + "hashed_secret": "cfd48edeb81ba7d48cbddcf1eeede25ba67057e8", + "is_verified": false, + "line_number": 33, + "is_secret": false + } + ], + "tests/app/user/test_rest.py": [ + { + "type": "Secret Keyword", + "filename": "tests/app/user/test_rest.py", + "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "is_verified": false, + "line_number": 106, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "tests/app/user/test_rest.py", + "hashed_secret": "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33", + "is_verified": false, + "line_number": 962, + "is_secret": false + } + ], + "tests/notifications_utils/clients/antivirus/test_antivirus_client.py": [ + { + "type": "Secret Keyword", + "filename": "tests/notifications_utils/clients/antivirus/test_antivirus_client.py", + "hashed_secret": "932b25270abe1301c22c709a19082dff07d469ff", + "is_verified": false, + "line_number": 16, + "is_secret": false + } + ], + "tests/notifications_utils/clients/encryption/test_encryption_client.py": [ + { + "type": "Secret Keyword", + "filename": "tests/notifications_utils/clients/encryption/test_encryption_client.py", + "hashed_secret": "f1e923a9667de11be6a210849a8651c1bfd81605", + "is_verified": false, + "line_number": 13, + "is_secret": false + } + ], + "tests/notifications_utils/clients/zendesk/test_zendesk_client.py": [ + { + "type": "Secret Keyword", + "filename": "tests/notifications_utils/clients/zendesk/test_zendesk_client.py", + "hashed_secret": "913a73b565c8e2c8ed94497580f619397709b8b6", + "is_verified": false, + "line_number": 16, + "is_secret": false + } + ] + }, + "generated_at": "2024-05-20T15:20:28Z" +} From 64fb311ac38226400d475d12466dccd430e71e69 Mon Sep 17 00:00:00 2001 From: Carlo Costino Date: Fri, 24 May 2024 10:27:33 -0400 Subject: [PATCH 5/5] Removed duplicate pre-commit hooks Signed-off-by: Carlo Costino --- .pre-commit-config.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f10ade983..cb3c48cae 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -13,12 +13,9 @@ repos: - id: check-toml - id: check-ast - id: fix-byte-order-marker - - id: check-merge-conflict - - id: debug-statements - id: detect-aws-credentials args: [--allow-missing-credentials] - id: detect-private-key - - id: end-of-file-fixer - id: mixed-line-ending - repo: https://github.com/Yelp/detect-secrets rev: v1.5.0