From c905fe9187c9d42582c4daf457180192907f466b Mon Sep 17 00:00:00 2001 From: Thien Nguyen Le Quynh Date: Thu, 5 Sep 2024 13:11:24 +0700 Subject: [PATCH] add gitleaks (#985) * add gitleaks --- .github/workflows/nightly-check.yaml | 12 ++++++++++ .gitleaksignore | 9 +++++++ .../src/main/resources/application.yaml | 2 +- .../src/it/resources/application.properties | 2 +- .../src/main/resources/application.properties | 2 +- gitleaks.toml | 24 +++++++++++++++++++ .../src/main/resources/application.yaml | 2 +- 7 files changed, 49 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/nightly-check.yaml create mode 100644 .gitleaksignore create mode 100644 gitleaks.toml diff --git a/.github/workflows/nightly-check.yaml b/.github/workflows/nightly-check.yaml new file mode 100644 index 0000000000..71d446bb3c --- /dev/null +++ b/.github/workflows/nightly-check.yaml @@ -0,0 +1,12 @@ +name: // At the end of every day +on: + schedule: + - cron: "0 0 * * *" +jobs: + check: + runs-on: ubuntu-latest + steps: + - name: Gitleaks check + run: | + docker pull zricethezav/gitleaks:v8.18.4 + docker run --rm -v ${{ github.workspace }}:/work -w /work zricethezav/gitleaks:v8.18.4 detect --source="." --config="/work/gitleaks.toml" --verbose --no-git \ No newline at end of file diff --git a/.gitleaksignore b/.gitleaksignore new file mode 100644 index 0000000000..a5c114c14a --- /dev/null +++ b/.gitleaksignore @@ -0,0 +1,9 @@ +k8s/charts/yas-configuration/values.yaml:generic-api-key:7 +k8s/charts/yas-configuration/values.yaml:generic-api-key:9 +k8s/deploy/cluster-config.yaml:generic-api-key:13 +k8s/deploy/README.md:generic-api-key:80 +k8s/deploy/README.md:generic-api-key:97 +k8s/deploy/README.md:generic-api-key:99 +payment/src/main/resources/db/changelog/data/changelog-0001-provider.sql:generic-api-key:5 +payment/src/main/resources/db/changelog/data/changelog-0001-provider.sql:generic-api-key:5 +payment/src/main/resources/db/changelog/data/changelog-0001-provider.sql:generic-api-key:5 diff --git a/backoffice-bff/src/main/resources/application.yaml b/backoffice-bff/src/main/resources/application.yaml index 2bc6fdcfb6..46ad81d8ea 100644 --- a/backoffice-bff/src/main/resources/application.yaml +++ b/backoffice-bff/src/main/resources/application.yaml @@ -18,7 +18,7 @@ spring: api-client: provider: keycloak client-id: backoffice-bff - client-secret: TVacLC0cQ8tiiEKiTVerTb2YvwQ1TRJF + client-secret: TVacLC0cQ8tiiEKiTVerTb2YvwQ1TRJF #gitleaks:allow scope: openid, profile, email, roles management: tracing: diff --git a/customer/src/it/resources/application.properties b/customer/src/it/resources/application.properties index d726123027..b93288232d 100644 --- a/customer/src/it/resources/application.properties +++ b/customer/src/it/resources/application.properties @@ -11,7 +11,7 @@ spring.profiles.active=test keycloak.auth-server-url=http://identity keycloak.realm=Yas keycloak.resource=customer-management -keycloak.credentials.secret=NKAr3rnjwm9jlakgKpelukZGFaHYqIWE +keycloak.credentials.secret=NKAr3rnjwm9jlakgKpelukZGFaHYqIWE #gitleaks:allow spring.security.oauth2.resourceserver.jwt.issuer-uri=test springdoc.oauthflow.authorization-url=test diff --git a/customer/src/main/resources/application.properties b/customer/src/main/resources/application.properties index 156f5e05eb..e8041e9a2f 100644 --- a/customer/src/main/resources/application.properties +++ b/customer/src/main/resources/application.properties @@ -31,7 +31,7 @@ spring.liquibase.enabled=true keycloak.auth-server-url=http://identity keycloak.realm=Yas keycloak.resource=customer-management -keycloak.credentials.secret=NKAr3rnjwm9jlakgKpelukZGFaHYqIWE +keycloak.credentials.secret=NKAr3rnjwm9jlakgKpelukZGFaHYqIWE #gitleaks:allow # swagger-ui custom path springdoc.swagger-ui.path=/swagger-ui diff --git a/gitleaks.toml b/gitleaks.toml new file mode 100644 index 0000000000..c40fa0cc58 --- /dev/null +++ b/gitleaks.toml @@ -0,0 +1,24 @@ +# Title for the gitleaks configuration file. +title = "Gitleaks title" + +# Extend the base (this) configuration. When you extend a configuration +# the base rules take precedence over the extended rules. I.e., if there are +# duplicate rules in both the base configuration and the extended configuration +# the base rules will override the extended rules. +# Another thing to know with extending configurations is you can chain together +# multiple configuration files to a depth of 2. Allowlist arrays are appended +# and can contain duplicates. +# useDefault and path can NOT be used at the same time. Choose one. +[extend] +# useDefault will extend the base configuration with the default gitleaks config: +# https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml +useDefault = true + +[allowlist] +description = "global allow list" +paths = [ + '''test-realm.json''', + '''realm-export''', + '''keycloak-yas-realm-import.yaml''', + '''target''' +] \ No newline at end of file diff --git a/storefront-bff/src/main/resources/application.yaml b/storefront-bff/src/main/resources/application.yaml index c54176b177..19c2f85fde 100644 --- a/storefront-bff/src/main/resources/application.yaml +++ b/storefront-bff/src/main/resources/application.yaml @@ -18,7 +18,7 @@ spring: keycloak: provider: keycloak client-id: storefront-bff - client-secret: ZrU9I0q2uXBglBnmvyJdkl1lf0ncr8tn + client-secret: ZrU9I0q2uXBglBnmvyJdkl1lf0ncr8tn #gitleaks:allow scope: openid, profile, email, roles management: metrics: