fix(detect-secrets): improve how secret detection works

[pvinis]

The type of this PR is: TYPE

This PR resolves []

Description

Secret detection has been added, but it had some small issues with certain filepaths and how we handle these.

There's some context info here https://artsy.slack.com/archives/CP9P4KR35/p1643215901266300?thread_ts=1643198172.246900&cid=CP9P4KR35 but the gist of it is:

• eigen has a bunch of lockfiles, image files, and generated files, that we can skip when detecting secrets. i added this filtering.
• eigen has some filepaths with spaces, ', (, ) in them. the original bash script did not handle them, and to account for them we just skipped them. i fixed that by making xargs do better delimiting so the command can run.
• added --verbose so we can see progress and any wrong running of the command.
• we had some excluded lines and secrets that were for the relay generated files. i removed that since we are filtering these files out with --exclude-files.
• removed the python version of detect-secrets and used the brew version. (more info: PLATFORM-3565: add detect-secrets formula homebrew-formulas#13)
• added some basic troubleshooting docs for secrets.

so the idea is:

• we run the generate script at the start. that is done already. (we might need to run it again in the future, but it should be fine for a while, if we dont change many things).
• we run the check scripts on precommit hook and on ci, to make sure we dont commit secrets.

todo:

• make sure CI works.

PR Checklist (tick all before merging)

• I have included screenshots or videos to illustrate my changes, or I have not changed anything that impacts the UI.
• I have tested my changes on iOS and Android.
• I have added tests/stories for my changes, or my changes don't require testing/stories, or I have included a link to a separate Jira ticket covering the tests.
• I have added a feature flag, or my changes don't require a feature flag. (How do I add one?)
• I have documented any follow-up work that this PR will require, or it does not require any.
• I have added an app state migration, or my changes do not require one. (What are migrations?)
• I have added a changelog entry below or my changes do not require one.

To the reviewers 👀

• I would like at least one of the reviewers to run this PR on the simulator or device.

Changelog updates

Changelog updates

Cross-platform user-facing changes

iOS user-facing changes

Android user-facing changes

Dev changes

• better secret detection - pavlos

[ArtsyOpenSource]

This PR contains the following changes:

• Dev changes (better secret detection - pavlos)

Generated by 🚫 dangerJS against cbe270d

[ovasdi]

LGTM.

I have not run this PR on the simulator or device. Happy to do tomorrow. I haven't run eigen since summer so I suspect im out of date as far as deps/tooling goes. Is there something specific I should look out for?

[ovasdi]

Nice. I will update the playbook to include this suggestion as well.
One thing I recalled when looking at this, there is an open issue when using the next line variant of the inline allowlist (_pragma: allowlist nextline secret _), it does not work in .env files

[pvinis]

i think we would only need to use the nextline for typescript, since prettier might format things to fit for width. for .env files, i think we are ok with the inline one, and the line can go as long as we want. good to know though.

[ovasdi]

This is really nice. Moving these commands with exclusions into dedicated scripts keeps things clean and contained. 🙌

[ovasdi]

Has eigen had any funkiness in CI with this tool? We had to implement a work around (in some projects) for what seems to be a random mutation of the baseline generated_at field. I have never heard eigen having this issue tho.

[pvinis]

i think we did have this at some point at the beginning, but it was only while people didnt have their stations set up, so the ci would be the first time this would run. we havent had an issue since.

i dont want to complicate things for now, so if we do end up having this again often, ill definitely try to fix it then.

[pvinis]

no need to run eigen for this, especially if you havent touched it in a while. i will show this on next KS and do a demo, but if you wanna try it out, i think the minimum thing is:

• checkout this pr
• make a branch from that
• add a line in a tsx file like const SECRET_KEY = "ghp_wowsecret5347gANkA3ADQTKpkQS544eoyvU"
• maybe another line console.log(SECRET_KEY) so the compiler stops crying
• try to commit. you should get an error about the secret, and you cant commit
• then try to add the pragma line and commit again. that should now commit fine.
• then try to remove the pragma line, commit again. it should fail again.
  that should be all

extra:

• one extra thing could be if we want to commit this without pragma, and in that special case you can run yarn secrets-add-all and it will scan all files and add the new one on the baseline file. verify that happens in your git, and we are good to go, should be able to commit just fine.

[dblandin]

Nice!!

In addition to line comments I have couple higher level questions:

• Do we want to ignore files via --exclude-files for some commands and not others? I'm wondering if we should be consistent with which files we're excluding.
• Is there an opportunity to DRY up some of the scripts? Seems like most common change is what we're piping in (git ls-files vs git diff --staged --name-only) - we might be able to have fewer scripts and inline that input into the package.json commands
• Do we intend to run the "add/generate" commands regularly? If not, would it make sense to document that process / commands rather than defining these package.json commands?

[dblandin]

Looks like these commands might benefit from some namespacing. What do you think of a secrets: command namespace and a ./scripts/secrets/ folder?

"secrets:audit": "detect-secrets audit .secrets.baseline",
"secrets:check:staged": "scripts/secrets/check-staged",
"secrets:check:all": "scripts/secrets/check-all",
"secrets:generate": "scripts/secrets/generate",

[pvinis]

thats a nice idea

[dblandin]

suggestion: I feel like we might as well git remove this file if we're commenting all of the lines. We can always bring the file back if we need to but chances are that we'll stick with the brew-based installation and this file will remain unused and cluttering the root directory.

[pvinis]

i guess i needed just a tiny extra push haha. doing it.

[ovasdi]

@pvinis

➜  eigen git:(verify-secrets-improvement) git diff
modified: src/lib/AndroidApp.tsx
@ src/lib/AndroidApp.tsx:37 @ addTrackingProvider("console", ConsoleTrackingProvider)
if (UIManager.setLayoutAnimationEnabledExperimental) {
  UIManager.setLayoutAnimationEnabledExperimental(true)
}

const SECRET_KEY = "ghp_wowsecret5347gANkA3ADQTKpkQS544eoyvU"
console.log(SECRET_KEY)
const Main: React.FC<{}> = track()(({}) => {
  useEffect(() => {
    GoogleSignin.configure({

➜  eigen git:(verify-secrets-improvement) ✗ git commit -m "add secret"
yarn run v1.22.17
$ /Users/ozzievasdi/code/eigen/node_modules/.bin/lint-staged
✔ Preparing...
✔ Running tasks...
✔ Applying modifications...
✔ Cleaning up...
✨  Done in 10.15s.
yarn run v1.22.17
$ scripts/secrets-check-staged
+ git diff --staged --name-only
+ tr '\n' '\0'
+ xargs -0 detect-secrets-hook --baseline .secrets.baseline --verbose
[scan]	INFO	Checking file: src/lib/AndroidApp.tsx
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
ERROR: Potential secrets about to be committed to git repo!

Secret Type: Base64 High Entropy String
Location:    src/lib/AndroidApp.tsx:37

Secret Type: Secret Keyword
Location:    src/lib/AndroidApp.tsx:37

Possible mitigations:
  - For information about putting your secrets in a safer place, please ask in
    #security
  - Mark false positives with an inline `pragma: allowlist secret`
    comment

If a secret has already been committed, visit
https://help.github.com/articles/removing-sensitive-data-from-a-repository
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
husky - pre-commit hook exited with code 1 (error)

➜  eigen git:(verify-secrets-improvement) ✗ git diff
modified: src/lib/AndroidApp.tsx
@ src/lib/AndroidApp.tsx:37 @ addTrackingProvider("console", ConsoleTrackingProvider)
if (UIManager.setLayoutAnimationEnabledExperimental) {
  UIManager.setLayoutAnimationEnabledExperimental(true)
}

const SECRET_KEY = "ghp_wowsecret5347gANkA3ADQTKpkQS544eoyvU"
const SECRET_KEY = "ghp_wowsecret5347gANkA3ADQTKpkQS544eoyvU" // pragma: allowlist secret
console.log(SECRET_KEY)
const Main: React.FC<{}> = track()(({}) => {
  useEffect(() => {

➜  eigen git:(verify-secrets-improvement) ✗ git commit -m "add secret"
yarn run v1.22.17
$ /Users/ozzievasdi/code/eigen/node_modules/.bin/lint-staged
✔ Preparing...
✔ Hiding unstaged changes to partially staged files...
✔ Running tasks...
✔ Applying modifications...
✔ Restoring unstaged changes to partially staged files...
✔ Cleaning up...
✨  Done in 10.04s.
yarn run v1.22.17
$ scripts/secrets-check-staged
+ git diff --staged --name-only
+ tr '\n' '\0'
+ xargs -0 detect-secrets-hook --baseline .secrets.baseline --verbose
[scan]	INFO	Checking file: src/lib/AndroidApp.tsx
[scan]	INFO	Skipping secret due to `detect_secrets.filters.allowlist.is_line_allowlisted`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
[scan]	INFO	Skipping secret due to `detect_secrets.filters.heuristic.is_indirect_reference`.
✨  Done in 0.94s.
[verify-secrets-improvement e15146ca8] add secret
 1 file changed, 2 insertions(+), 1 deletion(-)

removed inline allowlist

➜  eigen git:(verify-secrets-improvement) yarn secrets-add-all
yarn run v1.22.17
$ scripts/secrets-add-all
+ git ls-files
+ tr '\n' '\0'
+ xargs -0 detect-secrets scan --exclude-files '/.lock$/' --exclude-files '/.png$/' --exclude-files '/.webp$/' --exclude-files '/.jpg$/' --exclude-files '/.jar$/' --exclude-files /__generated__/ --baseline .secrets.baseline
✨  Done in 13.03s.

➜  eigen git:(verify-secrets-improvement) ✗ git diff
modified: .secrets.baseline
@ .secrets.baseline:412 @
        "line_number": 151
      }
    ],
    "src/lib/AndroidApp.tsx": [
      {
        "type": "Base64 High Entropy String",
        "filename": "src/lib/AndroidApp.tsx",
        "hashed_secret": "7d13f5838b78a45234b6e3c3ee7676a6ce6ae875",
        "is_verified": false,
        "line_number": 37
      },
      {
        "type": "Secret Keyword",
        "filename": "src/lib/AndroidApp.tsx",
        "hashed_secret": "7d13f5838b78a45234b6e3c3ee7676a6ce6ae875",
        "is_verified": false,
        "line_number": 37
      }
    ],
    "src/lib/Scenes/Artwork/Components/CommercialInformation.tests.tsx": [
      {
        "type": "Hex High Entropy String",
@ .secrets.baseline:578 @
      }
    ]
  },
  "generated_at": "2022-01-26T19:00:43Z"
  "generated_at": "2022-01-27T14:19:05Z"
}

[ovasdi]

• Do we intend to run the "add/generate" commands regularly? If not, would it make sense to document that process / commands rather than defining these package.json commands?

@dblandin I've been involved with this tool for some time and I have not had to add secrets and I don't immediately recall having to inline exclude any (it may have happened) however I've had to re-generate the baseline on a number of occasions, thought not in a while. This was something that would happen more frequently after we started to incorporate this tool to projects. Just wanted to share my experience.

[brainbicycle]

this looks great to me, might be worth sharing out in mobile-practice before or after it is merged, good to merge from my perspective

[pvinis]

this should be good to go. ill mark it as #squashongreen and we can show it on the next free KS. the last two were taken over by other stuff.