feat: add detect_secrets_(git|dir) jobs

.circleci/test-deploy.yml

@@ -36,6 +36,27 @@ workflows:
               echo "Scan found dependencies with high vulnerability level"
             fi
           filters: *filters
+      - security/detect_secrets_dir:
+          name: detect_secrets_dir
+          filters: *filters
+      - security/detect_secrets_git:
+          name: detect_secrets_git_base_revision
+          base_revision: <<pipeline.git.base_revision>>
+          filters: *filters
+      - security/detect_secrets_git:
+          name: detect_secrets_git_same_revision
+          base_branch: <<pipeline.git.branch>>
+          base_revision: <<pipeline.git.revision>>
+          filters: *filters
+      - security/detect_secrets_git:
+          name: detect_secrets_git_invalid_revision
+          base_branch: <<pipeline.git.branch>>
+          base_revision: ec9bf83ad5045208d15f2ec2c0ce4fba8cd7118f
+          filters: *filters
+      - security/detect_secrets_git:
+          name: detect_secrets_git_no_revision
+          base_branch: <<pipeline.git.branch>>
+          filters: *filters
       - orb-tools/pack:
           filters: *release-filters
       - orb-tools/publish:
@@ -47,5 +68,7 @@ workflows:
             - scan_dependencies_npm
             - scan_dependencies_pnpm
             - scan_dependencies_command
+            - detect_secrets_dir
+            - detect_secrets_git_base_revision
           context: orb-publishing
           filters: *release-filters

src/examples/git_detect_leaks.yml

@@ -0,0 +1,16 @@
+description: |
+  The "detect_secrets_git" job checks for secrets leak inside a Git repository.
+  When a current branch is not a base branch it scans all commits inside the current branch.
+  If the current branch and base branch are the same it scans commits from base revision
+  up to last commit in a build.
+  The base revision should be provided for the most accurate results, while the base branch
+  can be overridden if necessary.
+usage:
+  version: 2.1
+  orbs:
+    security: studion/security@x.y.z
+  workflows:
+    detect_app_leaks:
+      jobs:
+        - security/detect_secrets_git:
+            base_revision: <<pipeline.git.base_revision>>

src/executors/gitleaks.yml

@@ -0,0 +1,19 @@
+description: >
+  A Docker executor using default Gitleaks image based on Alpine Linux.
+
+parameters:
+  tag:
+    type: string
+    default: latest
+    description: >
+      Choose a specific zricethezav/gitleaks image tag:
+      https://hub.docker.com/r/zricethezav/gitleaks/tags
+  resource_class:
+    type: enum
+    enum: ['small', 'medium', 'medium+', 'large', 'xlarge', '2xlarge', '2xlarge+']
+    default: 'large'
+    description: Choose the executor resource class
+
+docker:
+  - image: zricethezav/gitleaks:<<parameters.tag>>
+resource_class: <<parameters.resource_class>>

src/jobs/detect_secrets_dir.yml

@@ -0,0 +1,35 @@
+description: >
+  Detect secrets leak inside a project at the directory level. Uses "gitleaks detect" command
+  to do the scan, for details how it works see https://github.com/gitleaks/gitleaks#usage.
+
+executor: gitleaks
+
+parameters:
+  path:
+    type: string
+    default: '.'
+    description: Path to the directory to scan.
+  config:
+    type: string
+    default: ''
+    description: >
+      Path to the Gitleaks config file. By default tries to load <<paramets.path>>/.gitleaks.toml.
+  baseline:
+    type: string
+    default: ''
+    description: Path to the baseline report, i.e. issues that can be ignorred.
+
+steps:
+  - checkout
+  - run:
+      name: Export Gitleaks arguments
+      environment:
+        CONFIG_FILE: <<parameters.config>>
+        BASELINE_REPORT: <<parameters.baseline>>
+      command: <<include(scripts/export-gitleaks-args.sh)>>
+  - run:
+      name: Detect secrets inside directory
+      working_directory: <<parameters.path>>
+      environment:
+        DIR_PATH: <<parameters.path>>
+      command: <<include(scripts/detect-secrets-dir.sh)>>

src/jobs/detect_secrets_git.yml

@@ -0,0 +1,48 @@
+description: >
+  Detect secrets leak inside a project at the repository level. Uses "gitleaks detect" command
+  to do the scan, for details how it works see https://github.com/gitleaks/gitleaks#usage.
+
+executor: gitleaks
+
+parameters:
+  path:
+    type: string
+    default: '.'
+    description: Path to the root of the Git repository to scan.
+  config:
+    type: string
+    default: ''
+    description: >
+      Path to the Gitleaks config file. By default tries to load <<paramets.path>>/.gitleaks.toml.
+  baseline:
+    type: string
+    default: ''
+    description: Path to the baseline report, i.e. issues that can be ignorred.
+  base_branch:
+    type: string
+    default: ''
+    description: >
+      The name of the base branch for for this scan. Usually some long-lived branch, e.g. default branch.
+  base_revision:
+    type: string
+    default: ''
+    description: >
+      The hash of the last scanned commit from the prior build. Usually just pass CircleCI's
+      <<pipeline.git.base_revision>> pipeline parameter.
+
+steps:
+  - checkout
+  - run:
+      name: Export Gitleaks arguments
+      environment:
+        CONFIG_FILE: <<parameters.config>>
+        BASELINE_REPORT: <<parameters.baseline>>
+      command: <<include(scripts/export-gitleaks-args.sh)>>
+  - run:
+      name: Detect secrets inside Git repository
+      working_directory: <<parameters.path>>
+      environment:
+        REPO_PATH: <<parameters.path>>
+        BASE_BRANCH_OVERRIDE: <<parameters.base_branch>>
+        BASE_REVISION: <<parameters.base_revision>>
+      command: <<include(scripts/detect-secrets-git.sh)>>

src/scripts/detect-secrets-dir.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+echo "Starting the directory scan at path '$DIR_PATH'"
+echo "Using exported gitleaks args '$GITLEAKS_ARGS'"
+eval gitleaks "$GITLEAKS_ARGS" --no-git

src/scripts/detect-secrets-git.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+BASE_BRANCH=$(git rev-parse --abbrev-ref origin/HEAD | cut -c8-)
+CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD)
+
+if [[ -n $BASE_BRANCH_OVERRIDE ]]; then
+  BASE_BRANCH=$BASE_BRANCH_OVERRIDE
+fi
+
+if [[ -n $CIRCLE_BRANCH ]]; then
+  CURRENT_BRANCH=$CIRCLE_BRANCH
+fi
+
+echo "Starting the directory scan at path '$REPO_PATH'"
+echo "Using exported gitleaks args '$GITLEAKS_ARGS'"
+echo "Using '$BASE_BRANCH' as the base branch"
+echo "Using '$CURRENT_BRANCH' as the current branch"
+
+if [[ "$BASE_BRANCH" = "$CURRENT_BRANCH" ]]; then
+  # Usually when changes are merged back into a long-lived branch, e.g. trunk
+  echo "The base branch is the current branch"
+  LOG_OPTS="$BASE_REVISION^..$CIRCLE_SHA1"
+
+  if [[ -z "$BASE_REVISION" ]] || ! git cat-file -e "$BASE_REVISION"; then
+    echo "The base revision is empty or invalid"
+    echo "Using HEAD~1 as the base revision"
+    LOG_OPTS="HEAD~1^..$CIRCLE_SHA1"
+  elif [[ "$BASE_REVISION" == "$CIRCLE_SHA1" ]]; then
+    echo "The base revision is the current revision"
+    echo "Scanning only last commit"
+    LOG_OPTS=-1
+  fi
+
+  eval gitleaks "$GITLEAKS_ARGS" --log-opts="$LOG_OPTS"
+else
+  # Usually a short lived branch, that is a pull request
+  echo "The base branch is not the current branch"
+  echo "Scanning all the commits in the current branch '$CURRENT_BRANCH'"
+  eval gitleaks "$GITLEAKS_ARGS" --log-opts="$BASE_BRANCH..$CURRENT_BRANCH"
+fi
+
+
+

src/scripts/export-gitleaks-args.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+REPORT="--report-format=sarif --report-path=/tmp/gitleaks-report.sarif"
+ARGS="detect --source . --log-level=debug --verbose --redact $REPORT --exit-code=2"
+
+if [[ -n "$CONFIG_FILE" ]]; then
+  ARGS="$ARGS --config=$CONFIG_FILE"
+fi
+
+if [[ -n "$BASELINE_REPORT" ]]; then
+  ARGS="$ARGS --baseline-path=$BASELINE_REPORT"
+fi
+
+echo "export GITLEAKS_ARGS='$ARGS'" >> "$BASH_ENV"