the block confidential script is not blocking the kubeconfig file

[vivuu1989]

Hello experts,

We are using the platform samples the block confidential pre-receive script in our environment. It was working as expected.
but when we scanned the GitHub data , we could identify that the kubeconfig files are not getting blocked.

Could you please suggest us to add the best regex to find the kubeconfig file and block it through pre-receive script..

[stoe]

To block a certain file by extension, you may want to look at the https://github.com/github/platform-samples/blob/master/pre-receive-hooks/block_file_extensions.sh example, @vivuu1989.

[vivuu1989]

@stoe thanks , but we were looking for the possibility to block it through the same pre-receive hook which we are using for the block confidential. Because the user may store the file in different format and it may not identify..
Hence we are looking for some regex same like which we used for finding RSA token or etc..

[stoe]

@vivuu1989, you can add the required regex to the list in

platform-samples/pre-receive-hooks/block_confidentials.sh

Lines 20 to 29 in e9c2177

	regex_list=(
	# block any private key file
	'(\-){5}BEGIN\s?(RSA|OPENSSH|DSA|EC|PGP)?\s?PRIVATE KEY\s?(BLOCK)?(\-){5}.*'
	# block AWS API Keys
	'AKIA[0-9A-Z]{16}'
	# block AWS Secret Access Key (TODO: adjust to not find validd Git SHA1s; false positives)
	# '([^A-Za-z0-9/+=])?([A-Za-z0-9/+=]{40})([^A-Za-z0-9/+=])?'
	# block confidential content
	'CONFIDENTIAL'
	)

[vivuu1989]

@stoe yes , thats correct. But we are confused about the regex value which can be added to the script to block the kubeconfig file.

[stoe]

@vivuu1989, maybe try https://regexr.com to get to the regex you need?