wiping commit history

Author: Dustin Rogers

.gitignore

@@ -0,0 +1,3 @@
+trufflehog_report.json
+somefilewithpasswords.txt
+__pycache__

CONTRIBUTING

@@ -0,0 +1 @@
+Contributions are welcome!

Dockerfile

@@ -0,0 +1,18 @@
+
+FROM ubuntu:18.04
+
+RUN apt-get update && \
+    apt-get install -y python3 python3-pip && \
+    apt-get clean
+
+COPY requirements.txt requirements.txt
+RUN pip3 install -r requirements.txt
+
+COPY trufflehog_python.py /trufflehog_python.py
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]
+
+#ENTRYPOINT ["sh", "-c", "python3 /trufflehog_python.py --github=false --slack=false"]
+

LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2021 Netlify.
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,44 @@
+```
+              _,-""""-..__
+         |`,-'_. `  ` ``  `--'""".
+         ;  ,'  | ``  ` `  ` ```  `.
+       ,-'   ..-' ` ` `` `  `` `  ` |==.
+     ,'    ^    `  `    `` `  ` `.  ;   \
+    `}_,-^-   _ .  ` \ `  ` __ `   ;    #
+       `"---"' `-`. ` \---""`.`.  `;
+                  \\` ;       ; `. `,
+                   ||`;      / / | |
+      jrei        //_;`    ,_;' ,_;"
+```
+# security-netlify-trufflehog-scanner
+This repository is meant to hold trufflehog secret-scanning utility
+
+## Secret Scanning Automation
+Trufflehog (using `trufflehog3`) scans the Netlify code repos in github everyday by executing the script `trufflehog_python.py` as a github action. It will report any new findings to slack channel `#security-operations-alerts`.
+
+trufflehog_arachni.py  accepts to arguments 
+--org , -o , the org to report on
+
+### Suppressing Alerts
+To suppress alerts, add the `Commit Hash` or `SHA256` to the `suppressions` file, line-by-line, with an appropriate comment. PR and merge.
+
+### Testing Locally
+- You will need to install `trufflehog3` using `pip`, and have it available in '/usr/local/bin/trufflehog3`
+- You will need to set the TRUFFLEHOG_SLACK_WEBHOOK env var.
+- You will need to set the TRUFFLEHOG_GH_ACCESS_TOKEN env var.
+
+### TODO
+- Post daily HTML report as static Netlify site.
+- each string can be suppressed, currently the entire commit must be suppressed.
+- figure out `git LFS` problem on some of the repos
+
+## Using `trufflehog-python.py` to Perform a Secret Scan
+Prerequisites - `trufflehog3` must be installed and available on your system.
+
+### Running the scan
+Now we can run a scan. If you wish to see which parameters are being executed with `trufflehog3`, explore the script. 
+
+`python trufflehog-python.py --org netlify > /tmp/netlify_secrets.trufflelog`
+
+### Create HTML report
+TBD

action.yml

@@ -0,0 +1,51 @@
+name: 'security-netlify-trufflehog-parse'
+description: 'python wrapped trufflehog scanner and report parser adding features like suppression handling'
+inputs:
+  trufflehog_report_file_path:
+    description: 'location of trufflehog report that will be parsed'
+    required: true
+    default: 'trufflehog_report.json'
+  suppression_file_path:  # id of input
+    description: 'path/name of suppression list file'
+    required: false
+    default: 'suppressions-trufflehog'
+  ignore_paths_file_path:  # id of input
+    description: 'path/name of paths-to-ignore list file'
+    required: false
+    default: 'ignore-paths-trufflehog'
+  create_github_issue:
+    description: 'boolean if user wishes to create github issues'
+    required: false
+    default: 'false'
+  create_slack_notification:
+    description: 'boolean if user wishes to create slack alert'
+    required: false
+    default: false
+  secret_scan_slack_webhook:
+    description: 'slack webhook, if desired'
+    required: false
+    default: ''
+  secret_scan_gh_access_token:
+    description: 'GH access token used to create issues'
+    required: false
+    default: ''
+  github_repo_name:
+    description: 'github repo name'
+    required: false
+    default: ''
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
+  args:
+    - ${{ inputs.trufflehog_report_file_path }}
+    - ${{ inputs.suppression_file_path }}
+    - ${{ inputs.ignore_paths_file_path }}
+    - ${{ inputs.create_github_issue }}
+    - ${{ inputs.create_slack_notification }}
+  env:
+    SECRET_SCAN_SLACK_WEBHOOK: ${{ inputs.secret_scan_slack_webhook }}
+    SECRET_SCAN_GH_ACCESS_TOKEN: ${{ inputs.secret_scan_gh_access_token }}
+    GITHUB_REPO: ${{ inputs.github_repo_name }}
+branding:
+  icon: 'life-buoy'
+  color: 'white'

entrypoint.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+PARAMS_STRING=""
+
+# ARG- Must Supply Trufflehog3 Report Path 
+if [ ! -z "$1" ]
+then
+	PARAMS_STRING+="--report-path=$1"
+fi
+
+# ARG - Suppressions List File Path
+if [ ! -z "$2" ]
+then
+	PARAMS_STRING+=" --suppressions-path=$2"
+fi
+
+# ARG - Paths-to-Ingore List File Path
+if [ ! -z "$2" ]
+then
+	PARAMS_STRING+=" --ignore-paths=$3"
+fi
+
+# ARG - Create Github Issues Bool
+if [ ! -z "$3" ]
+then
+	PARAMS_STRING+=" --github=$4"
+fi
+
+# ARG - Create Slack Notifications Bool
+if [ ! -z "$5" ]
+then
+	PARAMS_STRING+=" --slack=$5"
+fi
+
+echo "$PARAMS_STRING"
+ 
+#python3 trufflehog_python.py --report-path="trufflehog_report.json" 
+python3 /trufflehog_python.py $PARAMS_STRING 

ignore-paths-trufflehog-example

@@ -0,0 +1 @@
+somefilewithotherpasswords.txt

requirements.txt

@@ -0,0 +1,8 @@
+requests==2.22.0
+requests-unixsocket==0.2.0
+slackclient==2.8.1
+simplejson==3.16.0
+truffleHog3
+truffleHogRegexes
+PyGithub==1.53
+GitPython

suppressions-trufflehog-example

@@ -0,0 +1,2 @@
+343a2bf8c900e0e20959ef6a11378ee15f80c91d #example_org/example - removing key in commit
+kka1742068f7e436743d3e7ce0d1a54323f9c1e48c2dd582a5447d10425b8c53a2 - #netlify/trufflehog - testing