ivuorinen/gibidify
1
0
Fork 0
mirror of https://github.com/ivuorinen/gibidify.git synced 2026-03-19 18:02:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): replace custom secret detection with gitleaks

Browse Source 
The hand-rolled check_secrets regex patterns produced false positives
on configKey test values, causing make security-full to fail.

Replace with gitleaks via go run for proper secret detection with
built-in rules and allowlist support for generated report files.
This commit is contained in:
Ismo Vuorinen
2026-02-01 11:19:40 +02:00
parent 1bd6f6318a
commit 9b0e4e0810
3 changed files with 42 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@@ -14,6 +14,8 @@ output.txt
output.yaml output.yaml
gosec-report.json gosec-report.json
govulncheck-report.json govulncheck-report.json
gitleaks-report.json
security-report.json
security-report.md security-report.md
gosec*.log gosec*.log
pr.txt pr.txt

15
.gitleaks.toml Normal file
View File

@@ -0,0 +1,15 @@
# gitleaks configuration
# https://github.com/gitleaks/gitleaks
#
# Extends the built-in ruleset. Only allowlist overrides are defined here.
[allowlist]
description = "Global allowlist for generated and report files"
paths = [
'''gosec-report\.json$''',
'''govulncheck-report\.json$''',
'''security-report\.json$''',
'''security-report\.md$''',
'''output\.json$''',
'''gibidify\.json$''',
]

64
scripts/security-scan.sh
View File

@@ -63,44 +63,25 @@ run_security_lint() {
fi fi
} }
# Check for potential secrets # Check for potential secrets using gitleaks
check_secrets() { check_secrets() {
print_status "Scanning for potential secrets and sensitive data..." print_status "Scanning for potential secrets and sensitive data with gitleaks..."
local secrets_found=false local gitleaks_report="gitleaks-report.json"
if go run github.com/zricethezav/gitleaks/v8@latest dir \
# Common secret patterns --config .gitleaks.toml \
local patterns=( --report-format json \
"password\s*[:=]\s*['\"][^'\"]{3,}['\"]" --report-path "$gitleaks_report" \
"secret\s*[:=]\s*['\"][^'\"]{3,}['\"]" --no-banner \
"key\s*[:=]\s*['\"][^'\"]{8,}['\"]" .; then
"token\s*[:=]\s*['\"][^'\"]{8,}['\"]" print_success "No secrets detected by gitleaks"
"api_?key\s*[:=]\s*['\"][^'\"]{8,}['\"]" rm -f "$gitleaks_report"
"aws_?access_?key"
"aws_?secret"
"AKIA[0-9A-Z]{16}" # AWS Access Key pattern
"github_?token"
"private_?key"
)
for pattern in "${patterns[@]}"; do
if grep -r -i -E "$pattern" --include="*.go" . 2>/dev/null; then
print_warning "Potential secret pattern found: $pattern"
secrets_found=true
fi
done
# Check git history for secrets (last 10 commits)
if git log --oneline -10 | grep -i -E "(password|secret|key|token)" >/dev/null 2>&1; then
print_warning "Potential secrets mentioned in recent commit messages"
secrets_found=true
fi
if [[ "$secrets_found" = true ]]; then
print_warning "Potential secrets detected. Please review manually."
return 1
else else
print_success "No obvious secrets detected" print_error "Secrets detected by gitleaks!"
if [[ -f "$gitleaks_report" ]]; then
echo "Detailed report saved to $gitleaks_report"
fi
return 1
fi fi
} }
@@ -235,12 +216,15 @@ check_yaml_files() {
print_status "Checking YAML files..." print_status "Checking YAML files..."
if find . -name "*.yml" -o -name "*.yaml" -type f | head -1 | grep -q .; then if find . -name "*.yml" -o -name "*.yaml" -type f | head -1 | grep -q .; then
if yamllint -c .yamllint .; then if command -v yamllint >/dev/null 2>&1; then
print_success "YAML files check passed" if ! yamllint -c .yamllint .; then
else
print_error "YAML file issues detected!" print_error "YAML file issues detected!"
return 1 return 1
fi fi
print_success "YAML files check passed"
else
print_warning "yamllint not found, skipping YAML file check"
fi
else else
print_status "No YAML files found, skipping yamllint check" print_status "No YAML files found, skipping yamllint check"
fi fi
@@ -268,7 +252,7 @@ generate_report() {
- checkmake (Makefile linting) - checkmake (Makefile linting)
- shfmt (Shell script formatting) - shfmt (Shell script formatting)
- yamllint (YAML file validation) - yamllint (YAML file validation)
- Custom secret detection - gitleaks (Secret detection)
- Custom network address detection - Custom network address detection
- Docker security checks - Docker security checks
- File permission checks - File permission checks
@@ -276,6 +260,7 @@ generate_report() {
### Files Generated ### Files Generated
- \`gosec-report.json\` - Detailed gosec security findings - \`gosec-report.json\` - Detailed gosec security findings
- \`govulncheck-report.json\` - Dependency vulnerability report - \`govulncheck-report.json\` - Dependency vulnerability report
- \`gitleaks-report.json\` - Secret detection findings (if any)
### Recommendations ### Recommendations
1. Review all security findings in the generated reports 1. Review all security findings in the generated reports
@@ -350,6 +335,7 @@ main() {
print_status "Generated reports:" print_status "Generated reports:"
print_status "- gosec-report.json (if exists)" print_status "- gosec-report.json (if exists)"
print_status "- govulncheck-report.json (if exists)" print_status "- govulncheck-report.json (if exists)"
print_status "- gitleaks-report.json (if exists)"
print_status "- security-report.md" print_status "- security-report.md"
fi fi