From 6e6045da4471876e49bb49a066fef762845982c9 Mon Sep 17 00:00:00 2001 From: Kenichi Kamiya Date: Tue, 31 Dec 2024 17:48:59 +0900 Subject: [PATCH] =?UTF-8?q?=F0=9F=8D=84=20Replace=20gitleaks=20with=20truf?= =?UTF-8?q?flehog=20and=20runs=20it=20in=20global=20pre-push=20hook=20?= =?UTF-8?q?=F0=9F=90=BD=20(#1013)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Replace gitleaks with trufflehog * Enable the trufflehog in pre-push hook. Intentionally avoided linting and pre-commit phase. * Add a shell alias as `hog` --- .github/workflows/gitleaks.yml | 31 --------------------------- .github/workflows/scan-secrets.yml | 22 +++++++++++++++++++ .gitleaks.toml | 14 ------------ cmd/deps/main.go | 2 +- cmd/lint/main.go | 3 +-- flake.nix | 2 +- home-manager/common.nix | 3 +++ home-manager/packages.nix | 2 +- pkgs/git-hooks-pre-push/package.nix | 3 ++- pkgs/git-hooks-pre-push/pre-push.bash | 12 ++++++++++- 10 files changed, 42 insertions(+), 52 deletions(-) delete mode 100644 .github/workflows/gitleaks.yml create mode 100644 .github/workflows/scan-secrets.yml delete mode 100644 .gitleaks.toml diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml deleted file mode 100644 index 1a497ca8..00000000 --- a/.github/workflows/gitleaks.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: 💧 -on: [pull_request, push, workflow_dispatch] -jobs: - gitleaks: - timeout-minutes: 15 - name: gitleaks - runs-on: ubuntu-24.04 - env: - CLI_VERSION: '8.21.2' # selfup {"extract":"\\d[^']+","replacer":["gitleaks", "version"]} - steps: - # gitleaks-action is unfree since v2, Don't refer the code even if used in personal repositories - # However I also don't use nixpkgs version here. The Nix footprint is much annoy for this purpose. - # So simply uses the pre-built CLI here. - - name: Install - # TODO: Add checksum - run: | - curl -OL https://github.com/gitleaks/gitleaks/releases/download/v${{ env.CLI_VERSION }}/gitleaks_${{ env.CLI_VERSION }}_linux_x64.tar.gz - tar zxvf gitleaks_${{ env.CLI_VERSION }}_linux_x64.tar.gz - mkdir --parents /home/runner/.gitleaks/bin - mv gitleaks /home/runner/.gitleaks/bin - echo '/home/runner/.gitleaks/bin' >> $GITHUB_PATH - working-directory: ${{ runner.temp }} - env: - GH_TOKEN: ${{ github.token }} - - uses: actions/checkout@v4 - with: - fetch-depth: 0 # Getting all refs for git mode - - name: Run - run: | - gitleaks version - gitleaks git . --redact=100 diff --git a/.github/workflows/scan-secrets.yml b/.github/workflows/scan-secrets.yml new file mode 100644 index 00000000..42cf3040 --- /dev/null +++ b/.github/workflows/scan-secrets.yml @@ -0,0 +1,22 @@ +name: 🙈 # TODO: Extract into external repository might be reasonable for these public repositories +on: + push: + branches: + - main + pull_request: + workflow_dispatch: + +jobs: + trufflehog: # 🍄 🐽 + timeout-minutes: 15 + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # Getting all refs for git mode + - name: Secret Scanning + # Okay for using the latest since specified the CLI version below. Consider to pin with a tag if the project looks unstable + uses: trufflesecurity/trufflehog@e98dfa50f8f39c8197c55d4be05bc10c51f4e500 # main + with: + extra_args: --results=verified,unknown + version: '3.88.0' # selfup {"extract":"\\d[^']+","replacer":["bash", "-c", "trufflehog --version 2>&1"],"nth":2} diff --git a/.gitleaks.toml b/.gitleaks.toml deleted file mode 100644 index f9c0708f..00000000 --- a/.gitleaks.toml +++ /dev/null @@ -1,14 +0,0 @@ -[extend] -# useDefault will extend the base configuration with the default gitleaks config: -# https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml -useDefault = true - -[allowlist] -stopwords = [ - # This pattern was detected in `facebook-page-access-token`, but I believe this is a false positive. - # See GH-783 for detail - # https://github.com/kachick/dotfiles/pull/783#issuecomment-2345176253 - # https://gist.github.com/cocopon/a04be63f5e0856daa594702299c13160#file-iceberg-terminal-L170 - # https://github.com/gitleaks/gitleaks/pull/1372 - '''EAAC2z2Rlc2MAAAAAAAAAFklFQyBodHRwOi8vd3d3LmllYy5j''', -] diff --git a/cmd/deps/main.go b/cmd/deps/main.go index 3fe029d2..8f529c40 100644 --- a/cmd/deps/main.go +++ b/cmd/deps/main.go @@ -15,7 +15,7 @@ func main() { {Path: "shellcheck", Args: []string{"--version"}}, {Path: "shfmt", Args: []string{"--version"}}, {Path: "typos", Args: []string{"--version"}}, - {Path: "gitleaks", Args: []string{"version"}}, + {Path: "trufflehog", Args: []string{"--version"}}, {Path: "stylua", Args: []string{"--version"}}, {Path: "nixpkgs-lint", Args: []string{"--version"}}, {Path: "goreleaser", Args: []string{"--version"}}, diff --git a/cmd/lint/main.go b/cmd/lint/main.go index 993beb25..64d351bf 100644 --- a/cmd/lint/main.go +++ b/cmd/lint/main.go @@ -20,11 +20,10 @@ func main() { bashPaths := walker.GetAllBash() markdownPaths := walker.GetAllMarkdown() + // Don't add secrets scanner here. It should be done in pre-push hook now. cmds := runner.Commands{ {Path: "shellcheck", Args: bashPaths}, {Path: "typos", Args: constants.GetTyposTargetedRoots()}, - // No git makes 4x+ faster - {Path: "gitleaks", Args: []string{"dir", "."}}, {Path: "go", Args: []string{"vet", "./..."}}, {Path: "nixpkgs-lint", Args: []string{"."}}, {Path: "markdownlint-cli2", Args: markdownPaths}, diff --git a/flake.nix b/flake.nix index 3650de69..61a97fa7 100644 --- a/flake.nix +++ b/flake.nix @@ -103,7 +103,6 @@ (with pkgs; [ # https://github.com/NixOS/nix/issues/730#issuecomment-162323824 bashInteractive - gitleaks cargo-make ]) ++ (pkgs.lib.optionals pkgs.stdenv.isLinux ( @@ -133,6 +132,7 @@ (ruby_3_4.withPackages (ps: with ps; [ rubocop ])) ]) ++ (with pkgs.unstable; [ + trufflehog # https://github.com/NixOS/nixpkgs/pull/362139 dprint ]) diff --git a/home-manager/common.nix b/home-manager/common.nix index f9baffbe..dd9b326a 100644 --- a/home-manager/common.nix +++ b/home-manager/common.nix @@ -85,6 +85,9 @@ # https://github.com/NixOS/nixpkgs/pull/344193 "zed" = "zeditor"; + + # I can't remember the spells... + "hog" = "trufflehog"; }; }; diff --git a/home-manager/packages.nix b/home-manager/packages.nix index 5313130d..e25c72a0 100644 --- a/home-manager/packages.nix +++ b/home-manager/packages.nix @@ -81,7 +81,7 @@ riffdiff # `riff` gnumake go-task # Installing for enabling shell completion easy - gitleaks + unstable.trufflehog ruby_3_4 _7zz # `7zz` - 7zip. Command is not 7zip. diff --git a/pkgs/git-hooks-pre-push/package.nix b/pkgs/git-hooks-pre-push/package.nix index 050feb55..eecfe36c 100644 --- a/pkgs/git-hooks-pre-push/package.nix +++ b/pkgs/git-hooks-pre-push/package.nix @@ -2,10 +2,11 @@ pkgs.writeShellApplication rec { name = "pre-push"; text = builtins.readFile ./${name}.bash; - meta.description = "#540"; + meta.description = "GH-540 and GH-699"; runtimeInputs = with pkgs; [ typos coreutils # `basename` + unstable.trufflehog my.run_local_hook ]; runtimeEnv = { diff --git a/pkgs/git-hooks-pre-push/pre-push.bash b/pkgs/git-hooks-pre-push/pre-push.bash index 48652712..8a97535d 100644 --- a/pkgs/git-hooks-pre-push/pre-push.bash +++ b/pkgs/git-hooks-pre-push/pre-push.bash @@ -1,5 +1,15 @@ +# Avoiding -o error: https://stackoverflow.com/a/7832158 +# This is an escape hatch for large repository +DO_HOOK=${RUN_GITHOOK_HOG:-true} + # list of arguments: https://git-scm.com/docs/githooks#_pre_push -while read -r _local_ref _local_oid remote_ref _remote_oid; do +while read -r local_ref _local_oid remote_ref _remote_oid; do + # - trufflehog pre-commit hook having crucial limitations. https://github.com/trufflesecurity/trufflehog/blob/v3.88.0/README.md?plain=1#L628-L629 + # - Adding `--since-commit main` made 10x slower... :< + if [[ "$DO_HOOK" != "false" ]]; then + trufflehog git "file://${PWD}" --results='verified,unknown' --branch "$local_ref" --fail + fi + # Git ref is not a file path, but avoiding a typos bug for slash # https://github.com/crate-ci/typos/issues/758 basename "$remote_ref" | typos --config "$TYPOS_CONFIG_PATH" -