From 32916ea81c300b50ebde2458e25d6cfa33ae76fb Mon Sep 17 00:00:00 2001 From: Gian Miguel Del Mundo Date: Wed, 12 Jul 2023 16:29:33 +0800 Subject: [PATCH] Added pre-commit and trivy scan configs --- .github/workflows/build-and-test.yaml | 1 - .gitignore | 1 + .pre-commit-config.yaml | 15 +++ trivy-secret.yaml | 182 ++++++++++++++++++++++++++ 4 files changed, 198 insertions(+), 1 deletion(-) create mode 100644 .pre-commit-config.yaml create mode 100644 trivy-secret.yaml diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml index 2cc6134..7d13279 100644 --- a/.github/workflows/build-and-test.yaml +++ b/.github/workflows/build-and-test.yaml @@ -1,5 +1,4 @@ name: Build and Test - on: [pull_request, push, workflow_dispatch] jobs: diff --git a/.gitignore b/.gitignore index dfec95d..9a7f18a 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,4 @@ dependencies/ build/** .DS_Store */node_modules/* +.pre-commit-trivy-cache/ diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..d4f6652 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,15 @@ +repos: + - repo: https://github.com/mxab/pre-commit-trivy.git + rev: v0.5.1 + hooks: + - id: trivyfs-docker + args: + - --scanners + - secret + - --secret-config + - /src/trivy-secret.yaml + - --skip-dirs + - /src/target + - --skip-dirs + - /src/.idea + - . diff --git a/trivy-secret.yaml b/trivy-secret.yaml new file mode 100644 index 0000000..b9122e1 --- /dev/null +++ b/trivy-secret.yaml @@ -0,0 +1,182 @@ +rules: + ################## + # UID2 Admin Key # + ################## + - id: uid2-admin-key-test + category: uid2 + title: UID2 - Admin Key - Test + severity: CRITICAL + keywords: + - UID2-A-T + regex: (?PUID2-A-T-.{6}\..{38}) + secret-group-name: secret + - id: uid2-admin-key-integ + category: uid2 + title: UID2 - Admin Key - Integ + severity: CRITICAL + keywords: + - UID2-A-I + regex: (?PUID2-A-I-.{6}\..{38}) + secret-group-name: secret + - id: uid2-admin-key-prod + category: uid2 + title: UID2 - Admin Key - Prod + severity: CRITICAL + keywords: + - UID2-A-P + regex: (?PUID2-A-P-.{6}\..{38}) + secret-group-name: secret + + ################### + # UID2 Client Key # + ################### + - id: uid2-client-key-test + category: uid2 + title: UID2 - Client Key - Test + severity: CRITICAL + keywords: + - UID2-C-T + regex: (?PUID2-C-T-.{6}\..{38}) + secret-group-name: secret + - id: uid2-client-key-integ + category: uid2 + title: UID2 - Client Key - Integ + severity: CRITICAL + keywords: + - UID2-C-I + regex: (?PUID2-C-I-.{6}\..{38}) + secret-group-name: secret + - id: uid2-client-key-prod + category: uid2 + title: UID2 - Client Key - Prod + severity: CRITICAL + keywords: + - UID2-C-P + regex: (?PUID2-C-P-.{6}\..{38}) + secret-group-name: secret + + ##################### + # UID2 Operator Key # + ##################### + - id: uid2-operator-key-test + category: uid2 + title: UID2 - Operator Key - Test + severity: CRITICAL + keywords: + - UID2-O-T + regex: (?PUID2-O-T-.{6}\..{38}) + secret-group-name: secret + - id: uid2-operator-key-integ + category: uid2 + title: UID2 - Operator Key - Integ + severity: CRITICAL + keywords: + - UID2-O-I + regex: (?PUID2-O-I-.{6}\..{38}) + secret-group-name: secret + - id: uid2-operator-key-prod + category: uid2 + title: UID2 - Operator Key - Prod + severity: CRITICAL + keywords: + - UID2-O-P + regex: (?PUID2-O-P-.{6}\..{38}) + secret-group-name: secret + + ################## + # EUID Admin Key # + ################## + - id: euid-admin-key-test + category: euid + title: EUID - Admin Key - Test + severity: CRITICAL + keywords: + - EUID-A-T + regex: (?PEUID-A-T-.{6}\..{38}) + secret-group-name: secret + - id: euid-admin-key-integ + category: euid + title: EUID - Admin Key - Integ + severity: CRITICAL + keywords: + - EUID-A-I + regex: (?PEUID-A-I-.{6}\..{38}) + secret-group-name: secret + - id: euid-admin-key-prod + category: euid + title: EUID - Admin Key - Prod + severity: CRITICAL + keywords: + - EUID-A-P + regex: (?PEUID-A-P-.{6}\..{38}) + secret-group-name: secret + + ################### + # EUID Client Key # + ################### + - id: euid-client-key-test + category: euid + title: EUID - Client Key - Test + severity: CRITICAL + keywords: + - EUID-C-T + regex: (?PEUID-C-T-.{6}\..{38}) + secret-group-name: secret + - id: euid-client-key-integ + category: euid + title: EUID - Client Key - Integ + severity: CRITICAL + keywords: + - EUID-C-I + regex: (?PEUID-C-I-.{6}\..{38}) + secret-group-name: secret + - id: euid-client-key-prod + category: euid + title: EUID - Client Key - Prod + severity: CRITICAL + keywords: + - EUID-C-P + regex: (?PEUID-C-P-.{6}\..{38}) + secret-group-name: secret + + ##################### + # EUID Operator Key # + ##################### + - id: euid-operator-key-test + category: euid + title: EUID - Operator Key - Test + severity: CRITICAL + keywords: + - EUID-O-T + regex: (?PEUID-O-T-.{6}\..{38}) + secret-group-name: secret + - id: euid-operator-key-integ + category: euid + title: EUID - Operator Key - Integ + severity: CRITICAL + keywords: + - EUID-O-I + regex: (?PEUID-O-I-.{6}\..{38}) + secret-group-name: secret + - id: euid-operator-key-prod + category: euid + title: EUID - Operator Key - Prod + severity: CRITICAL + keywords: + - EUID-O-P + regex: (?PEUID-O-P-.{6}\..{38}) + secret-group-name: secret + +disable-allow-rules: + - tests + - examples + - vendor + - usr-dirs + - locale-dir + - markdown + - node.js + - golang + - python + - rubygems + - wordpress + - anaconda-log \ No newline at end of file