From 89d2d0f53f2ae7c25a35583383fab00e9ce360d0 Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Tue, 31 Jul 2018 18:00:04 +0200 Subject: [PATCH] Add git-secrets check to build git-secrets is a local tool that every developer has to set up on their own working copy. Add it to the guide so new contributors don't forget. Initializes a new git repo if the current directory is not a git repo. Fixes #271. --- .gitignore | 1 + CONTRIBUTING.md | 3 +++ build.sh | 2 ++ git-secrets-scan.sh | 30 ++++++++++++++++++++++++++++++ 4 files changed, 36 insertions(+) create mode 100755 git-secrets-scan.sh diff --git a/.gitignore b/.gitignore index 1fbe3c6115686..7b89f50668180 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,7 @@ dist pack .BUILD_COMPLETED .local-npm +.tools coverage .nyc_output .LAST_BUILD diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index ab1843945d35d..dd0d8f2a70e59 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -74,6 +74,9 @@ docker run --net=host -it -v $PWD:$PWD -w $PWD ${IMAGE} This will get you into an interactive docker shell. You can then run `./install.sh` and `./build.sh` as described below. +Also install the [git-secrets](https://github.com/awslabs/git-secrets) tool +and activate it on your working copy of the `aws-cdk` repository. + ### Bootstrapping 1. Clone this repository (or run `git clean -fdx` to clean up all build artifacts). diff --git a/build.sh b/build.sh index 1441b741334c0..7eda08d2cc984 100755 --- a/build.sh +++ b/build.sh @@ -5,6 +5,8 @@ if [ ! -d node_modules ]; then /bin/bash ./install.sh fi +/bin/bash ./git-secrets-scan.sh + BUILD_INDICATOR=".BUILD_COMPLETED" rm -rf $BUILD_INDICATOR diff --git a/git-secrets-scan.sh b/git-secrets-scan.sh new file mode 100755 index 0000000000000..ed11ef5f4d890 --- /dev/null +++ b/git-secrets-scan.sh @@ -0,0 +1,30 @@ +#!/bin/bash +set -euo pipefail + +mkdir -p .tools +[[ ! -d .tools/git-secrets ]] && { + echo "=============================================================================================" + echo "Downloading git-secrets..." + (cd .tools && git clone --depth 1 https://github.com/awslabs/git-secrets.git) +} + +# As the name implies, git-secrets heavily depends on git: +# +# a) the config is stored and fetched using 'git config'. +# b) the search is performed using 'git grep' (other search methods don't work +# properly, see https://github.com/awslabs/git-secrets/issues/66) +# +# When we run in a CodeBuild build, we don't have a git repo, unfortunately. So +# when that's the case, 'git init' one on the spot, add all files to it (which +# because of the .gitignore will exclude dependencies and generated files) and +# then call 'git-secrets' as usual. +git rev-parse --git-dir > /dev/null 2>&1 || { + git init --quiet + git add -A . + + # AWS config needs to be added to this fresh repository's config + .tools/git-secrets/git-secrets --register-aws +} + +.tools/git-secrets/git-secrets --scan +echo "git-secrets scan ok"