Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Gitleaks securityTest #389

Merged
merged 21 commits into from
Oct 9, 2019
Merged

Add Gitleaks securityTest #389

merged 21 commits into from
Oct 9, 2019
+254 −12

Conversation

abzcoding
Copy link
Contributor

@abzcoding abzcoding commented Oct 6, 2019
edited by rafaveira3
Loading

Closes #366

I'm not sure that is it better to add Gitleaks as a generic type or a language type called "git"
please feel free to guide me on that one

@abzcoding abzcoding changed the title adding gitleaks to analysers #366 adding gitleaks to analysers Oct 6, 2019
@rafaveira3 rafaveira3 added the feature Add a new feature label Oct 6, 2019
@rafaveira3 rafaveira3 self-assigned this Oct 6, 2019
@abzcoding
Copy link
Contributor Author

abzcoding commented Oct 6, 2019
edited
Loading

I've also set the severity of issues based on the rule:

  1. private keys -> high
  2. secrets, non-generic API keys, access-tokens -> medium
  3. others -> low

@rafaveira3 rafaveira3 changed the title adding gitleaks to analysers Add Gitleaks securityTest Oct 6, 2019
rafaveira3
rafaveira3 reviewed Oct 7, 2019
View reviewed changes
rafaveira3
rafaveira3 reviewed Oct 7, 2019
View reviewed changes
@abzcoding
Copy link
Contributor Author

because gitleaks outputs stderr into stdout, we cannot decide based on stderr, but we can decide based on return code:

0: no leaks
1: leaks present
2: error encountered

rafaveira3
rafaveira3 reviewed Oct 8, 2019
View reviewed changes
@rafaveira3
Copy link
Contributor

Hey, @abzcoding! I am currently working on this cool PR and found an issue. Would you mind confirming it and also helping me debug it? These were the steps I followed:

make install
. .env
make run-client

Although gitleaks found some low vulnerabilities, it did not append it to huskyCIResults:

image

rafaveira3
rafaveira3 reviewed Oct 8, 2019
View reviewed changes
rafaveira3
rafaveira3 reviewed Oct 8, 2019
View reviewed changes
@abzcoding
Copy link
Contributor Author

Hey, @abzcoding! I am currently working on this cool PR and found an issue. Would you mind confirming it and also helping me debug it? These were the steps I followed:

make install
. .env
make run-client

Although gitleaks found some low vulnerabilities, it did not append it to huskyCIResults:

image

ok, I'll try to investigate the issue.

@abzcoding
Copy link
Contributor Author

@rafaveira3 can you verify that the issue has been resolved?

@abzcoding
Copy link
Contributor Author

@rafaveira3 can you verify that the issue has been resolved?

in case you wanted to test it against a vulnerable repository:

https://github.com/gitleakstest/gronit

@rafaveira3
Copy link
Contributor

Hey, @abzcoding! Well, this is awkward... 😅 Would you mind adding that if condition again for the vendor folder? I have run your code in different repositories and it indeed brings a lot of unnecessary information. Could we add both vendor/ and node_modules/?

// dependencies issues will not checked at this moment by huskyCI
		if strings.HasPrefix(issue.File, "vendor/") || strings.HasPrefix(issue.File, "node_modules/") {
			continue
		}

Let's merge it after this last commit! 🚀

@abzcoding abzcoding closed this Oct 9, 2019
@abzcoding abzcoding reopened this Oct 9, 2019
@abzcoding
Copy link
Contributor Author

Hey, @abzcoding! Well, this is awkward... 😅 Would you mind adding that if condition again for the vendor folder? I have run your code in different repositories and it indeed brings a lot of unnecessary information. Could we add both vendor/ and node_modules/?

// dependencies issues will not checked at this moment by huskyCI
		if strings.HasPrefix(issue.File, "vendor/") || strings.HasPrefix(issue.File, "node_modules/") {
			continue
		}

Let's merge it after this last commit! 🚀

no problem, i've implemented it.

p.s: i've mistakenly closed and reopened the issue 😀

rafaveira3
rafaveira3 approved these changes Oct 9, 2019
View reviewed changes
Copy link
Contributor

@rafaveira3 rafaveira3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@abzcoding, thanks a LOT for this contribution! We are certain that gitleaks will help a lot of developers improve the quality of their code in a secure manner. You rock! 🚀🔥

@joserenatosilva joserenatosilva merged commit d252f11 into globocom:master Oct 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rafaveira3 rafaveira3

@joserenatosilva joserenatosilva

Assignees

@rafaveira3 rafaveira3

Labels
feature Add a new feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add gitleaks and/or truffleHog to huskyCI
3 participants
@abzcoding @rafaveira3 @joserenatosilva