Introduce seekret #69

jcscottiii · 2016-08-16T16:23:04Z

This PR introduces Git-Seekret

Installs git-seekret from source
- Installs Go
- Installs LibGit2
Sets up templateDir

Setup of git-seekret per repo cases covered

After checkout / clone or repos.
For existing repos
Sets up pre-commit hook

Rules enabled

Mandrill Username, Password
AWS ID, Key, Secret
New Relic license key

Screenshot of the after clone case

Gotchas:
To ensure reliable of installation of git-seekret there are some options that need to happen, either:

Git-seekret needs to vendor / pin their dependencies or,
Git-seekret needs to create releases

UX of it catching an error:

$ echo "password = 'this is super secret'" > new_file
$ git add new_file
$ git commit
Found Secrets: 1
        new_file:1
            - Metadata:
              status: test
            - Rule:
              password.password
            - Content:
              password = 'this is super secret'

Before merge read #69 (comment) 👀

Update https://github.com/18F/laptop/blob/seekret/mac#L238 to reference master
Update https://github.com/18F/laptop/blob/seekret/seekrets-install#L55 to reference master
Promote the branch names to master from seekret #118

rogeruiz · 2016-10-24T16:12:36Z

@alain-hoang This would be a good place to have standup although it'll be a little like talking into the void. But raise any concerns, questions, comments, funny memes 😉 in here and we can triage them with other engineers intrested in helping out. 👍

rogeruiz · 2016-10-26T18:15:11Z

👀 look at the tests failure here. @alain-hoang

alain-hoang · 2016-10-27T21:16:39Z

See #83 for more information on these failures

…nstall

And do we really need git-secrets? Nope.

This addresses downloading of the seekret rules via a curl request to a well known location for the rulesets.

* basic functional tests for git-seekrets

* Add tests for installation check * Enable/disable tests for rulesets

* Tests for true positives in test repo

* Addresses repeatable installation for BATS

This makes sure that AWS keys are not mistaken for New Relic license keys.

This reverts commit e22aeb8.

* See #116 for further information

Rename properties to not contain rule name

* See #120

Seekret documentation

Make sure AWS secrets start with AWS

monfresh · 2016-12-21T16:57:58Z

mac

-# git secrets --add --allowed --global 'sha.*[A-Za-z0-9]{40}' || true
-# git secrets --add --allowed --global 'secure:.*' || true
+# TODO: Change to master for merge
+curl -s https://raw.githubusercontent.com/18F/laptop/seekret/seekrets-install | sh -


Just leaving a reminder here to change the path to point to master before merging.

Use files in `seekret-rules` to determine defaults

monfresh

LGTM. I was able to install it and running git seekret check -c 0 against the identity-idp repo found no offenses, after Roger fixed the aws.rule regex.

rogeruiz · 2016-12-21T17:16:49Z

Waiting on the last test results to pass then I'll be merging in #118 into #69 and then #69 into master. 🎉 thanks everyone! 🙇

This should only be merged once #69 is ready to be merged into the `master` branch. Do not merge this until #69 is totally ready!

Promote the branch names to master from seekret

konklone · 2016-12-22T08:18:13Z

How difficult would this be to extract from the laptop repository? We also would want to use this on potential Linux environments, and it'd be nice to make it reusable by others (and garner contributions from others) who aren't using our laptop configuration system.

rogeruiz · 2016-12-22T13:05:21Z

@konklone not very difficult at all. The main repository for git-seekret is forked here and the main lib for that is forked here. @LinuxBozo had tried getting Linux support out of the box but assumptions about curl were made and need to be revisited.

To extract the installation from this repo, we would just need to move a few things:

the git-seekret documentation
seekrets-install script
- modify the install script to point to a new location that isn't the 18F/laptop repository for downloading / reading the rulesets and the installation script itself.
seekret-rules/*.rule rule files
the BATS tests test directory

rogeruiz · 2016-12-22T15:24:22Z

Conversation moved to 18F/git-seekret#11

LinuxBozo force-pushed the seekret branch from 93c828a to b56be1c Compare October 6, 2016 18:52

This was referenced Oct 6, 2016

Testing of seekrets rulesets using BATS #74

Closed

Download & enable rulesets during installation of seekrets #75

Closed

LinuxBozo force-pushed the seekret branch from b56be1c to 6222931 Compare October 6, 2016 19:43

jcscottiii mentioned this pull request Oct 6, 2016

[WIP] Add bats in Travis build #76

Closed

This was referenced Oct 6, 2016

New seekret ruleset for Mandrill/Mailchimp #77

Closed

git secrets commands aren't safe to run multiple times #65

Closed

Check for git version 2.9+ when installing seekrets #79

Closed

alain-hoang mentioned this pull request Oct 27, 2016

Seekrets install - download and enable rulesets #83

Merged

James C. Scott and others added 11 commits December 5, 2016 13:57

Introduce seekret

dcb62b5

More WIP to install seekrets, this time with separate script

6213b66

Install bats

352dda3

Clean up for shellcheck and make sure we're shellcheck'ing seekrets-i…

cb3caed

…nstall

Mac mktemp uses deprecated -t over -p

01f03f2

And do we really need git-secrets? Nope.

Addresses #79 by checking git version

ed0cc03

Handle #75. Downlaod of seekret rules

f860711

This addresses downloading of the seekret rules via a curl request to a well known location for the rulesets.

Handle #75. Download and enabling of seekret rulesets

65a81e8

Address build warnings

9be311c

Simplify enable rulesets logic

75b20ef

Actually enable rules

786415c

LinuxBozo force-pushed the seekret branch from 3ca0860 to 786415c Compare December 5, 2016 18:58

alain-hoang added 6 commits December 5, 2016 14:05

WIP for #74. Testing of seekrets rulesets using bats

29cfde4

* basic functional tests for git-seekrets

WIP for #74.

72c7e02

* Add tests for installation check * Enable/disable tests for rulesets

WIP for #74

50a6528

* Tests for true positives in test repo

WIP for #74

ab51830

* Addresses repeatable installation for BATS

Build script to generate git seekrets binaries

9e73de7

Addresses #74

f7e2e4b

alain-hoang and others added 4 commits December 20, 2016 17:50

Update logic checking for rules in newrelic keys test

09b348a

Updated rules based on feedback #112

5fde43f

Fix the tests; 🔑

9ae1849

This makes sure that AWS keys are not mistaken for New Relic license keys.

Revert "Fix the tests; 🔑"

f5b82e9

This reverts commit e22aeb8.

rogeruiz changed the title ~~[WIP] Introduce seekret~~ Introduce seekret Dec 21, 2016

rogeruiz and others added 10 commits December 21, 2016 09:52

Rename properties to not contain rule name

0a6337d

Use files in seekret-rules to determine defaults

181b608

Rename test docs

ad773b6

Updated git-seekret documentation

e798e76

* See #116 for further information

Merge pull request #119 from 18F/update-rule-names

2e83b74

Rename properties to not contain rule name

Really make sure we have defaults no matter what

cb5ac3d

Update README with reminder on adding new rule

de89560

* See #120

Fix grammar

b05dc09

Updated BATS information

2d5ea9b

Merge pull request #121 from 18F/seekret-documentation

556d178

Seekret documentation

rogeruiz changed the title ~~Introduce seekret~~ [ work in progress ] Introduce seekret Dec 21, 2016

rogeruiz and others added 2 commits December 21, 2016 11:48

Make sure they start with AWS

02060d2

Merge pull request #122 from 18F/better-aws-tests

bd91c8a

Make sure AWS secrets start with AWS

monfresh reviewed Dec 21, 2016

View reviewed changes

Merge pull request #120 from 18F/default-rules-should-come-from-repo

a15d872

Use files in `seekret-rules` to determine defaults

monfresh approved these changes Dec 21, 2016

View reviewed changes

rogeruiz changed the title ~~[ work in progress ] Introduce seekret~~ Introduce seekret Dec 21, 2016

rogeruiz and others added 2 commits December 21, 2016 12:59

Promote the branch names to master from seekret;

4945bdd

This should only be merged once #69 is ready to be merged into the `master` branch. Do not merge this until #69 is totally ready!

Merge pull request #118 from 18F/seekret-master-blaster

3bc005f

Promote the branch names to master from seekret

rogeruiz merged commit c62a279 into master Dec 21, 2016

rogeruiz deleted the seekret branch December 21, 2016 18:49

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Introduce seekret #69

Introduce seekret #69

jcscottiii commented Aug 16, 2016 •

edited by rogeruiz

Loading

rogeruiz commented Oct 24, 2016

rogeruiz commented Oct 26, 2016 •

edited

Loading

alain-hoang commented Oct 27, 2016

monfresh Dec 21, 2016

monfresh left a comment

rogeruiz commented Dec 21, 2016

konklone commented Dec 22, 2016

rogeruiz commented Dec 22, 2016 •

edited

Loading

rogeruiz commented Dec 22, 2016

Introduce seekret #69

Introduce seekret #69

Conversation

jcscottiii commented Aug 16, 2016 • edited by rogeruiz Loading

Before merge read #69 (comment) 👀

rogeruiz commented Oct 24, 2016

rogeruiz commented Oct 26, 2016 • edited Loading

alain-hoang commented Oct 27, 2016

monfresh Dec 21, 2016

Choose a reason for hiding this comment

monfresh left a comment

Choose a reason for hiding this comment

rogeruiz commented Dec 21, 2016

konklone commented Dec 22, 2016

rogeruiz commented Dec 22, 2016 • edited Loading

rogeruiz commented Dec 22, 2016

jcscottiii commented Aug 16, 2016 •

edited by rogeruiz

Loading

rogeruiz commented Oct 26, 2016 •

edited

Loading

rogeruiz commented Dec 22, 2016 •

edited

Loading