Skip to content

Commit

Permalink
Update Git hooks and add secret scanning
Browse files Browse the repository at this point in the history
  • Loading branch information
justinyaodu committed Dec 13, 2023
1 parent f6da7dd commit 16de805
Show file tree
Hide file tree
Showing 7 changed files with 500 additions and 4 deletions.
36 changes: 36 additions & 0 deletions .github/workflows/lint-check.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
name: Lint and style checks

on:
pull_request:
branches:
main

jobs:
backend:
name: Backend lint and style check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- working-directory: backend # Change this to the name of your backend directory
run: |
npm ci
npm run lint-check
frontend:
name: Frontend lint and style check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- working-directory: frontend # Change this to the name of your frontend directory
run: |
npm ci
npm run lint-check
secret-scan:
name: Secret scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- run: |
node .secret-scan/secret-scan.js
3 changes: 2 additions & 1 deletion .husky/lint-config.sh
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
# This config file is sourced by the pre-commit script.
# shellcheck disable=SC2034,SC2148

# Change 1 to 0 to disable linting.
enabled=1

# Directories containing Node.js projects to be linted, separated by spaces.
# Directories containing JavaScript projects to be linted, separated by spaces.
node_dirs='backend frontend'

# Command used to run a lint check.
Expand Down
13 changes: 10 additions & 3 deletions .husky/pre-commit
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
# produces a "cannot spawn" error with a bash shebang, since it uses dash.
# However, dash is not available on many Unix-like systems.

# shellcheck disable=SC2317

log() {
echo "${0}: ${*}" >&2
}
Expand Down Expand Up @@ -61,7 +63,7 @@ ask_yes_no() {
fi

while :; do
printf "${0}: ${prompt}"
printf "%s: %s" "${0}" "${prompt}"
read -r selection
selection="$(parse_yes_no "${selection}")"

Expand All @@ -86,7 +88,7 @@ ask_yes_no() {
explain_no_verify() {
log "If you wish to bypass the lint check entirely,"
log "use the following command:"
log " git commit --no-verify"
log " NO_LINT=1 git commit"
}

dir_check() {
Expand Down Expand Up @@ -176,12 +178,17 @@ cancel() {

main() {
config_file="$(dirname "${0}")/lint-config.sh"

# shellcheck source=./lint-config.sh
if ! . "${config_file}"; then
error "Error while sourcing config file '${config_file}'."
exit 1
fi

if [ "${enabled}" -eq 0 ]; then
secret_scan_script="$(dirname "${0}")/../.secret-scan/secret-scan.js"
node "${secret_scan_script}" || exit

if [ "${enabled}" = 0 ] || [ "${NO_LINT}" = 1 ]; then
warn "Lint check has been disabled."
exit 0
fi
Expand Down
3 changes: 3 additions & 0 deletions .husky/pre-push
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
#!/bin/sh
secret_scan_script="$(dirname "${0}")/../.secret-scan/secret-scan.js"
node "${secret_scan_script}"
2 changes: 2 additions & 0 deletions .secret-scan/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
/secret-scan-cache.json
/secret-scan-report.json
27 changes: 27 additions & 0 deletions .secret-scan/secret-scan-config.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
{
"//": [
"To prevent a particular string from being flagged, add it (or a substring",
"of it) to this array. This can be useful if your repository contains an",
"example of what a credential should look like, a development credential",
"(e.g. a database on localhost), or a previously leaked credential that",
"has already been revoked. Obviously, do not put active credentials here."
],
"allowedStrings": ["mongodb://127.0.0.1", "mongodb://localhost"],
"//": [
"Regexes used to scan the repository contents for secrets.",
"If possible, try to make the regex match the entire secret, or",
"allowedStrings might not work as expected. For example, if a regex",
"matches only 'mongodb', this string by itself does not contain any of the",
"strings in the allowlist, so it will still be flagged."
],
"secretRegexes": {
"mongodbUrl": "mongodb([+]srv)?://[^\\s]+",
"firebaseJsonPrivateKeyFile": "-----BEGIN PRIVATE KEY-----[^\\s]+"
},
"//": [
"Do not check for secrets in these files. You should almost always use",
"allowedStrings instead of this. We only add these files because they",
"naturally contain things that look like secrets, but aren't."
],
"skippedFiles": [".secret-scan/secret-scan-cache.json", ".secret-scan/secret-scan-config.json"]
}
Loading

0 comments on commit 16de805

Please sign in to comment.