Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: use gitleaks for secret scanning #610

Merged
merged 11 commits into from
Sep 4, 2024
Merged

chore: use gitleaks for secret scanning #610

merged 11 commits into from
Sep 4, 2024

Conversation

lvrach
Copy link
Member

@lvrach lvrach commented Aug 28, 2024
edited by fracasula
Loading

Description

Makefile

Add sec on target on Makefile:

  • scan secrets using gitleaks, doing a full git history scan
  • run go vuln checks

sec also runs as part of make lint

.gitleaksignore is used to skip already-known secrets

Github action

Using official gitleaks-action, some notes:

  • GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}. This is required since we are an org. The GITLEAKS_LICENSE is configured on the org level.
  • GITLEAKS_NOTIFY_USER_LIST is setup to notify @rudderlabs/security-alerts alias.

The workflow is configured to be triggered in multiple ways:

on:
  pull_request:  # commenting on the thread
  push: # when we push to a branch, but we don't have a PR yet
  workflow_dispatch: # allow to run manually
  schedule:
    - cron: "0 13 * * *" # run once a day at 13:00 UTC, helping discover secrets from new detection mechanisms

Linear Ticket

https://linear.app/rudderstack/issue/PRI-36/use-gitleaks-for-secret-scanning

Refs PRI-36

Security

  • The code changed/added as part of this pull request won't create any security issues with how the software is being used.

@lvrach lvrach requested a review from fracasula August 28, 2024 08:47
github-actions[bot]
github-actions bot reviewed Aug 30, 2024
View reviewed changes
test_git_leaks_ci.txt Outdated
@@ -0,0 +1 @@
PASSWORD=410871d6-c66f-4052-83d7-78add2a56e2b
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Gitleaks has detected a secret with rule-id generic-api-key in commit c7b2e4a.
If this secret is a true positive, please rotate the secret ASAP.

If this secret is a false positive, you can add the fingerprint below to your .gitleaksignore file and commit the change to this branch.

echo c7b2e4ae3cde679f36228101162a8a63ac91e576:test_git_leaks_ci.txt:generic-api-key:1 >> .gitleaksignore

github-actions[bot]
github-actions bot reviewed Aug 30, 2024
View reviewed changes
test_git_leaks_ci.txt Outdated
@@ -0,0 +1 @@
PASSWORD=410871d6-c66f-4052-83d7-78add2a56e2b
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Gitleaks has detected a secret with rule-id generic-api-key in commit c7b2e4a.
If this secret is a true positive, please rotate the secret ASAP.

If this secret is a false positive, you can add the fingerprint below to your .gitleaksignore file and commit the change to this branch.

echo c7b2e4ae3cde679f36228101162a8a63ac91e576:test_git_leaks_ci.txt:generic-api-key:1 >> .gitleaksignore

cc @lvrach,@SumanthPuram,@psrikanth88

github-actions[bot]
github-actions bot reviewed Aug 30, 2024
View reviewed changes
test_git_leaks_ci.txt Outdated
@@ -0,0 +1 @@
PASSWORD=410871d6-c66f-4052-83d7-78add2a56e2b
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Gitleaks has detected a secret with rule-id generic-api-key in commit c7b2e4a.
If this secret is a true positive, please rotate the secret ASAP.

If this secret is a false positive, you can add the fingerprint below to your .gitleaksignore file and commit the change to this branch.

echo c7b2e4ae3cde679f36228101162a8a63ac91e576:test_git_leaks_ci.txt:generic-api-key:1 >> .gitleaksignore

cc @rudderlabs/security-alerts

fracasula
fracasula approved these changes Sep 2, 2024
View reviewed changes
.gitleaksignore
@@ -0,0 +1,14 @@
f0b67e93831d16b7f6618632ad44d718c8318b87:sftp/testdata/ssh/test_key:private-key:1
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I merged a PR a while back to remove these. Are you sure some of these lines are still relevant? Last time I removed all the RSA keys. Of course it will still complain about the certificates though.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is still part of git history, running secret scanning on the latest didn't detect anything. The work to remove RSA keys is still important to avoid false positives moving forward.

achettyiitr
achettyiitr approved these changes Sep 2, 2024
View reviewed changes
Makefile Outdated Show resolved Hide resolved
@lvrach lvrach enabled auto-merge (squash) September 4, 2024 09:03
@lvrach lvrach merged commit a8ac9a5 into main Sep 4, 2024
14 checks passed
@lvrach lvrach deleted the chore.secret-scanning branch September 4, 2024 09:09
@devops-github-rudderstack devops-github-rudderstack mentioned this pull request Sep 4, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@achettyiitr achettyiitr achettyiitr approved these changes

@mihir20 mihir20 mihir20 approved these changes

@fracasula fracasula fracasula approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@lvrach @fracasula @mihir20 @achettyiitr