refactor: configuration codespell, gitleaks and todocheck (hadenlabs#23)

luismayta · Apr 6, 2021 · 0a7fa1d · 0a7fa1d
1 parent 30bb76c
commit 0a7fa1d
Show file tree

Hide file tree

Showing 4 changed files with 229 additions and 36 deletions.
diff --git a/.codespell-ignores b/.codespell-ignores
@@ -0,0 +1,2 @@
+
+cas
diff --git a/.github/linters/.gitleaks.toml b/.github/linters/.gitleaks.toml
@@ -0,0 +1,183 @@
+title = "gitleaks config"
+
+[[rules]]
+    description = "AWS Access Key"
+    regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
+    tags = ["key", "AWS"]
+
+[[rules]]
+    description = "AWS cred file info"
+    regex = '''(?i)(aws_access_key_id|aws_secret_access_key)(.{0,20})?=.[0-9a-zA-Z\/+]{20,40}'''
+    tags = ["AWS"]
+
+[[rules]]
+    description = "AWS Secret Key"
+    regex = '''(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]'''
+    tags = ["key", "AWS"]
+
+[[rules]]
+    description = "AWS MWS key"
+    regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'''
+    tags = ["key", "AWS", "MWS"]
+
+[[rules]]
+    description = "Twitter Secret Key"
+    regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{35,44}['\"]'''
+    tags = ["key", "Twitter"]
+
+[[rules]]
+    description = "Twitter Client ID"
+
+    regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{18,25}['\"]'''
+    tags = ["client", "Twitter"]
+
+[[rules]]
+    description = "Github"
+    regex = '''(?i)github(.{0,20})?(?-i)['\"][0-9a-zA-Z]{35,40}['\"]'''
+    tags = ["key", "Github"]
+
+[[rules]]
+    description = "LinkedIn Client ID"
+    regex = '''(?i)linkedin(.{0,20})?(?-i)['\"][0-9a-z]{12}['\"]'''
+    tags = ["client", "LinkedIn"]
+
+[[rules]]
+    description = "LinkedIn Secret Key"
+    regex = '''(?i)linkedin(.{0,20})?['\"][0-9a-z]{16}['\"]'''
+    tags = ["secret", "LinkedIn"]
+
+[[rules]]
+    description = "Slack"
+    regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?'''
+    tags = ["key", "Slack"]
+
+[[rules]]
+    description = "EC"
+    regex = '''-----BEGIN EC PRIVATE KEY-----'''
+    tags = ["key", "EC"]
+
+[[rules]]
+    description = "Google API key"
+    regex = '''AIza[0-9A-Za-z\\-_]{35}'''
+    tags = ["key", "Google"]
+
+[[rules]]
+    description = "Heroku API key"
+    regex = '''(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]'''
+    tags = ["key", "Heroku"]
+
+[[rules]]
+    description = "MailChimp API key"
+    regex = '''(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]'''
+    tags = ["key", "Mailchimp"]
+
+[[rules]]
+    description = "Mailgun API key"
+    regex = '''(?i)(mailgun|mg)(.{0,20})?['"][0-9a-z]{32}['"]'''
+    tags = ["key", "Mailgun"]
+
+[[rules]]
+    description = "PayPal Braintree access token"
+    regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}'''
+    tags = ["key", "Paypal"]
+
+[[rules]]
+    description = "Picatic API key"
+    regex = '''sk_live_[0-9a-z]{32}'''
+    tags = ["key", "Picatic"]
+
+[[rules]]
+    description = "Slack Webhook"
+    regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}'''
+    tags = ["key", "slack"]
+
+[[rules]]
+    description = "Stripe API key"
+    regex = '''(?i)stripe(.{0,20})?['\"'][sk|rk]_live_[0-9a-zA-Z]{24}'''
+    tags = ["key", "Stripe"]
+
+[[rules]]
+    description = "Square access token"
+    regex = '''sq0atp-[0-9A-Za-z\-_]{22}'''
+    tags = ["key", "square"]
+
+[[rules]]
+    description = "Square OAuth secret"
+    regex = '''sq0csp-[0-9A-Za-z\\-_]{43}'''
+    tags = ["key", "square"]
+
+[[rules]]
+    description = "Twilio API key"
+    regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]'''
+    tags = ["key", "twilio"]
+
+[[rules]]
+    description = "Env Var"
+    regex = '''(?i)(apikey|secret|key|api|password|pass|pw|host)=[0-9a-zA-Z-_.{}]{4,120}'''
+    tags = ["env"]
+
+[[rules]]
+    description = "Email"
+    regex = '''[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}'''
+    tags = ["email"]
+    [rules.allowlist]
+        description = "ignore emails"
+        regexes = [
+            '''[a-zA-Z0-9._%+-]+@users.noreply.github.com''',
+            '''git@github.com''',
+            '''git@gitlab.com''',
+            '''slovacus@gmail.com''',
+            '''hola@hadenlabs.com''',
+            '''support@hadenlbas.com''',
+            '''support@hadenlabs.com''',
+        ]
+
+[[rules]]
+    description = "High Entropy"
+    regex = '''[0-9a-zA-Z-_!{}/=]{4,120}'''
+    file = '''(?i)(dump.sql|high-entropy-misc.txt)$'''
+    tags = ["entropy"]
+    [[rules.Entropies]]
+        Min = "4.3"
+        Max = "7.0"
+    [rules.allowlist]
+        description = "ignore some"
+        files = ['''(.*pub|env)$''']
+        paths = ['''(security.*)''']
+
+[[rules]]
+    description = "Potential bash var"
+    regex='''(?i)(=)([0-9a-zA-Z-_!{}=]{4,120})'''
+    tags = ["key", "bash", "API", "generic"]
+        [[rules.Entropies]]
+            Min = "3.5"
+            Max = "4.5"
+            Group = "1"
+
+[[rules]]
+    description = "WP-Config"
+    regex='''define(.{0,20})?(DB_CHARSET|NONCE_SALT|LOGGED_IN_SALT|AUTH_SALT|NONCE_KEY|DB_HOST|DB_PASSWORD|AUTH_KEY|SECURE_AUTH_KEY|LOGGED_IN_KEY|DB_NAME|DB_USER)(.{0,20})?['|"'].{10,120}['|"']'''
+    tags = ["key", "API", "generic"]
+
+[[rules]]
+    description = "Files with keys and credentials"
+    file = '''(?i)(id_rsa|passwd|id_rsa.pub|pgpass|pem|ppk)'''
+    tags = ["key", "credentials"]
+
+# Global allowlist
+[allowlist]
+    description = "files allowlists"
+    files = [
+      '''(.*?)(jpg|gif|doc|pdf|bin)$''',
+      '''^\.gitignore$''',
+      '''^\.gitleaks.toml$''',
+      '''^yarn.lock$''',
+    ]
+
+[whitelist]
+	description = "Ignore gitleaks config"
+	files = [
+    '''^\.gitleaks.toml$''',
+    '''^\.gitignore$''',
+    '''^yarn.lock$''',
+  ]
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -8,6 +8,17 @@ repos:
     rev: v2.11.1
     hooks:
       - id: validate_manifest
+  - repo: https://github.com/codespell-project/codespell
+    rev: v2.0.0
+    hooks:
+      - id: codespell
+        args: [--ignore-words=.codespell-ignores]
+        exclude: >
+          (?x)^(
+            .+\.vendor\/.*$|
+            .+\.node_modules\/.*$|
+            .+\.lock$|
+          )$
   - repo: https://github.com/Lucas-C/pre-commit-hooks-safety
     rev: v1.2.1
     hooks:
@@ -19,7 +30,7 @@ repos:
         args: []
         files: .py$
   - repo: https://github.com/pre-commit/mirrors-pylint
-    rev: v2.7.2
+    rev: v3.0.0a1
     hooks:
       - id: pylint
         exclude: __pycache__|migrations|conf.py|_build|.tox|pootle/static|pootle/translations|pootle/locale|pootle/assets|templates
@@ -70,47 +81,42 @@ repos:
       - id: file-contents-sorter
       - id: fix-encoding-pragma
       - id: sort-simple-yaml
-      - id: mixed-line-ending
-        fix: lr
       - id: check-executables-have-shebangs
-  - repo: https://github.com/tcassou/python-pre-commit-hooks
-    rev: 3383e2f83463370cf4651040fb697a636bb0374e
-    hooks:
-      - id: do_not_commit
   - repo: https://github.com/asottile/blacken-docs
     rev: v1.10.0
     hooks:
       - id: blacken-docs
         additional_dependencies:
           - black
-  - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.48.0
+  - repo: https://github.com/hadenlabs/pre-commit-hooks
+    rev: 6f7317eaab25367265066d5cdfaebfe8ae466377
     hooks:
-      - id: terraform_docs
-      - id: terraform_tflint
+      - id: do-not-commit
+      - id: markdown-link-check
+        exclude: \.tpl.md$
+      - id: shellcheck
+        exclude: (^provision/script/wait-for-it.sh$|^provision/git/hooks/prepare-commit-msg$)
         args:
-          - '--args=--config=__GIT_WORKING_DIR__/.github/linters/.tflint.hcl'
-      - id: terragrunt_fmt
-      - id: terraform_fmt
-      - id: terraform_tfsec
-      - id: checkov
-  - repo: git://github.com/dnephin/pre-commit-golang
-    rev: v0.3.5
-    hooks:
+          - --exclude=SC1072,SC1073,SC2068
       - id: validate-toml
       - id: no-go-testing
       - id: golangci-lint
-  - repo: https://github.com/shellcheck-py/shellcheck-py
-    rev: v0.7.1.1
-    hooks:
-      - id: shellcheck
-        exclude: (^provision/script/wait-for-it.sh$|^provision/git/hooks/prepare-commit-msg$)
+
+      - id: terraform-docs
+      - id: terraform-tflint
         args:
-          - --exclude=SC1072,SC1073,SC2068
-  - repo: https://github.com/IamTheFij/docker-pre-commit
-    rev: v2.0.0
-    hooks:
-      - id: docker-compose-check
+          - '--config=.github/linters/.tflint.hcl'
+      - id: terragrunt-fmt
+      - id: terraform-fmt
+      - id: terraform-tfsec
+
+      - id: checkov
+      - id: todocheck
+      - id: gitleaks
+        args:
+          - --path=.
+          - --repo-config-path=.github/linters/.gitleaks.toml
+          - --verbose
   - repo: local
     hooks:
       - id: prettier
@@ -139,10 +145,3 @@ repos:
         entry: node_modules/stylelint/bin/stylelint.js --config=.github/linters/.stylintrc --syntax less **/*.less
         args: [--fix]
         files: \.(css|scss|sass|less)$
-      - id: dockerfile-provides-entrypoint
-        name: hadolint
-        description: Lint Dockerfiles with hadolint
-        language: docker_image
-        entry: --entrypoint /bin/hadolint hadolint/hadolint:latest --ignore DL3008 --ignore DL3013 --ignore DL3018 --ignore DL3008 --ignore DL4006 --ignore SC2001 --ignore SC2086 --ignore SC2102 -
-        types: [file]
-        files: Dockerfile(.*)
diff --git a/.todocheck.yaml b/.todocheck.yaml
@@ -0,0 +1,9 @@
+origin: github.com/hadenlabs/terraform-aws-openvpn
+issue_tracker: GITHUB
+auth:
+  type: none
+ignored:
+  - vendor/
+  - node_modules/
+custom_todos:
+  - '@fix'