forked from finos/git-proxy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
checkForSecrets.js
128 lines (104 loc) · 4.42 KB
/
checkForSecrets.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
const { Step } = require('../../actions');
const { exec: cexec } = require('child_process');
const path = require('path');
const config = require('../../../config');
const commitConfig = config.getCommitConfig();
const authorizedlist = config.getAuthorisedList();
// Function to extract relevant file paths from Git diff content
// go to proxyconfig.json and enable the feature
// gitleaks.report.json will show the secrets found and in which file they are found
// Function to extract relevant file paths and their parent directories
// gitleaks dir "C:/Users/ingle/Desktop/CitiHackthon/git-proxy/test/test_data/GitleaksSampleData/sensitive_data.js" --config="c:/Users/ingle/Desktop/CitiHackthon/git-proxy/gitleaks.toml" --report-format json --log-level debug --report-path="c:/Users/ingle/Desktop/CitiHackthon/git-proxy/gitleaks_report.json"
// use the command to run gitleaks from terminal
// Function to extract relevant directories from Git diff content
function extractRelevantDirectories(diffContent) {
const relevantDirectories = [];
const relevantExtensions = ['.json', '.yaml', '.yml', '.js', '.ts', '.txt'];
const lines = diffContent.split('\n');
lines.forEach((line) => {
const match = line.match(/^diff --git a\/(.+?) b\/(.+?)$/);
if (match) {
const filePath = match[1];
const fileExtension = `.${filePath.split('.').pop()}`;
if (relevantExtensions.includes(fileExtension)) {
const dirPath = path.dirname(filePath);
if (!relevantDirectories.includes(dirPath)) {
relevantDirectories.push(dirPath);
}
}
}
});
return relevantDirectories;
}
// Function to run Gitleaks with directory paths
async function runGitleaks(filePaths,repoRoot) {
return new Promise((resolve, reject) => {
console.log(filePaths);
// Constructing file paths to check
const filesToCheck = filePaths
.map((filePath) => `"${path.resolve(repoRoot,filePath).replace(/\\/g, '/')}"`)
.join(' ');
console.log("filesToCheck:", filesToCheck);
// Config path and report path
const configPath = path.resolve(__dirname, '../../../../gitleaks.toml').replace(/\\/g, '/');
const reportPath = repoRoot + '/gitleaks_report.json';
console.log("configPath:", configPath);
console.log("reportPath:", reportPath);
// Constructing Gitleaks command
const command = `gitleaks dir ${filesToCheck} --config="${configPath}" --report-format json --log-level debug --report-path="${reportPath}"`;
console.log(`Executing Gitleaks Command: ${command}`);
// Executing the command
cexec(command, (error, stdout, stderr) => {
// Check if there was an error
if (error) {
// If leaks are found, handle the warning gracefully
console.log("stderrrrr:",stderr);
if (stderr.includes("leaks found")) {
console.warn("Leaks were found, but execution succeeded.");
resolve(true); // Consider this a successful run
} else {
console.error(`Error executing gitleaks: ${error.message}`);
reject(new Error(`Error executing gitleaks: ${error.message}`));
}
} else {
resolve(false);
}
});
});
}
// Example usage in exec function
const exec = async (req, action) => {
const diffStep = action.steps.find((s) => s.stepName === 'diff');
const step = new Step('checkForSecrets');
const commitinfo = commitConfig.checkForSecrets;
if (!commitinfo.enabled) {
action.addStep(step);
return action;
}
if (diffStep && diffStep.content) {
const dirPaths = extractRelevantDirectories(diffStep.content);
const repoRoot = authorizedlist.find((item) => item.url === action.url).LocalRepoRoot;
if (dirPaths.length > 0) {
try {
const res = await runGitleaks(dirPaths,repoRoot);
if (res) {
step.blocked = true;
step.blockedMessage = 'Sensitive secrets detected in the diff.';
console.log('Sensitive secrets detected! Push blocked. You can check the gitleaks_report.json for details');
} else {
console.log('No sensitive secrets detected.');
}
action.addStep(step);
} catch (err) {
console.error('Error during Gitleaks execution:', err);
}
} else {
console.log('No relevant directories found in the diff.');
}
} else {
console.log('No diff content available.');
}
return action;
};
exec.displayName = 'checkForSecrets.exec';
module.exports = { exec };