Update Git hooks and add secret scanning

TritonSE · Dec 13, 2023 · 16de805 · 16de805
1 parent f6da7dd
commit 16de805
Show file tree

Hide file tree

Showing 7 changed files with 500 additions and 4 deletions.
diff --git a/.github/workflows/lint-check.yml b/.github/workflows/lint-check.yml
@@ -0,0 +1,36 @@
+name: Lint and style checks
+
+on:
+  pull_request:
+    branches:
+      main
+
+jobs:
+  backend:
+    name: Backend lint and style check
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-node@v3
+    - working-directory: backend # Change this to the name of your backend directory
+      run: |
+        npm ci
+        npm run lint-check
+  frontend:
+    name: Frontend lint and style check
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-node@v3
+    - working-directory: frontend # Change this to the name of your frontend directory
+      run: |
+        npm ci
+        npm run lint-check
+  secret-scan:
+    name: Secret scan
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-node@v3
+    - run: |
+        node .secret-scan/secret-scan.js
diff --git a/.husky/lint-config.sh b/.husky/lint-config.sh
@@ -1,9 +1,10 @@
 # This config file is sourced by the pre-commit script.
+# shellcheck disable=SC2034,SC2148
 
 # Change 1 to 0 to disable linting.
 enabled=1
 
-# Directories containing Node.js projects to be linted, separated by spaces.
+# Directories containing JavaScript projects to be linted, separated by spaces.
 node_dirs='backend frontend'
 
 # Command used to run a lint check.

diff --git a/.husky/pre-commit b/.husky/pre-commit
@@ -3,6 +3,8 @@
 # produces a "cannot spawn" error with a bash shebang, since it uses dash.
 # However, dash is not available on many Unix-like systems.
 
+# shellcheck disable=SC2317
+
 log() {
 	echo "${0}: ${*}" >&2
 }
@@ -61,7 +63,7 @@ ask_yes_no() {
 	fi
 
 	while :; do
-		printf "${0}: ${prompt}"
+		printf "%s: %s" "${0}" "${prompt}"
 		read -r selection
 		selection="$(parse_yes_no "${selection}")"
 
@@ -86,7 +88,7 @@ ask_yes_no() {
 explain_no_verify() {
 	log "If you wish to bypass the lint check entirely,"
 	log "use the following command:"
-	log "    git commit --no-verify"
+	log "    NO_LINT=1 git commit"
 }
 
 dir_check() {
@@ -176,12 +178,17 @@ cancel() {
 
 main() {
 	config_file="$(dirname "${0}")/lint-config.sh"
+
+	# shellcheck source=./lint-config.sh
 	if ! . "${config_file}"; then
 		error "Error while sourcing config file '${config_file}'."
 		exit 1
 	fi
 
-	if [ "${enabled}" -eq 0 ]; then
+	secret_scan_script="$(dirname "${0}")/../.secret-scan/secret-scan.js"
+	node "${secret_scan_script}" || exit
+
+	if [ "${enabled}" = 0 ] || [ "${NO_LINT}" = 1 ]; then
 		warn "Lint check has been disabled."
 		exit 0
 	fi

diff --git a/.husky/pre-push b/.husky/pre-push
@@ -0,0 +1,3 @@
+#!/bin/sh
+secret_scan_script="$(dirname "${0}")/../.secret-scan/secret-scan.js"
+node "${secret_scan_script}"
diff --git a/.secret-scan/.gitignore b/.secret-scan/.gitignore
@@ -0,0 +1,2 @@
+/secret-scan-cache.json
+/secret-scan-report.json
diff --git a/.secret-scan/secret-scan-config.json b/.secret-scan/secret-scan-config.json
@@ -0,0 +1,27 @@
+{
+  "//": [
+    "To prevent a particular string from being flagged, add it (or a substring",
+    "of it) to this array. This can be useful if your repository contains an",
+    "example of what a credential should look like, a development credential",
+    "(e.g. a database on localhost), or a previously leaked credential that",
+    "has already been revoked. Obviously, do not put active credentials here."
+  ],
+  "allowedStrings": ["mongodb://127.0.0.1", "mongodb://localhost"],
+  "//": [
+    "Regexes used to scan the repository contents for secrets.",
+    "If possible, try to make the regex match the entire secret, or",
+    "allowedStrings might not work as expected. For example, if a regex",
+    "matches only 'mongodb', this string by itself does not contain any of the",
+    "strings in the allowlist, so it will still be flagged."
+  ],
+  "secretRegexes": {
+    "mongodbUrl": "mongodb([+]srv)?://[^\\s]+",
+    "firebaseJsonPrivateKeyFile": "-----BEGIN PRIVATE KEY-----[^\\s]+"
+  },
+  "//": [
+    "Do not check for secrets in these files. You should almost always use",
+    "allowedStrings instead of this. We only add these files because they",
+    "naturally contain things that look like secrets, but aren't."
+  ],
+  "skippedFiles": [".secret-scan/secret-scan-cache.json", ".secret-scan/secret-scan-config.json"]
+}