From 8b08a89d29519cf8bf6272bbda639cbc82979c2a Mon Sep 17 00:00:00 2001 From: Chris Walters Date: Mon, 20 Apr 2026 08:31:33 +0100 Subject: [PATCH] Remove git-secrets references and add GitLeaks guidance --- blueprints.md | 2 +- practices/guides/commit-purge.md | 2 +- practices/security.md | 2 +- quality-checks.md | 2 +- tools/gitleaks.md | 80 ++++ tools/nhsd-git-secrets/.gitallowed-base | 9 - .../.pre-commit-config.example.yaml | 8 - .../README-linux-workstation.md | 65 ---- .../README-mac-workstation.md | 65 ---- .../README-windows-workstation.md | 61 --- tools/nhsd-git-secrets/README.md | 60 --- tools/nhsd-git-secrets/full-history-scan.sh | 14 - tools/nhsd-git-secrets/git-secrets | 358 ------------------ .../gitSecretsExample.Jenkinsfile | 39 -- tools/nhsd-git-secrets/install-linux.sh | 32 -- tools/nhsd-git-secrets/install-windows.ps1 | 55 --- .../nhsd-git-secrets.dockerfile | 60 --- tools/nhsd-git-secrets/nhsd-rules-deny.txt | 21 - tools/nhsd-git-secrets/pre-commit-mac.sh | 9 - tools/nhsd-git-secrets/pre-commit.sh | 9 - tools/nhsd-git-secrets/scan-repo-linux-mac.sh | 12 - 21 files changed, 84 insertions(+), 881 deletions(-) create mode 100644 tools/gitleaks.md delete mode 100644 tools/nhsd-git-secrets/.gitallowed-base delete mode 100644 tools/nhsd-git-secrets/.pre-commit-config.example.yaml delete mode 100644 tools/nhsd-git-secrets/README-linux-workstation.md delete mode 100644 tools/nhsd-git-secrets/README-mac-workstation.md delete mode 100644 tools/nhsd-git-secrets/README-windows-workstation.md delete mode 100644 tools/nhsd-git-secrets/README.md delete mode 100755 tools/nhsd-git-secrets/full-history-scan.sh delete mode 100755 tools/nhsd-git-secrets/git-secrets delete mode 100644 tools/nhsd-git-secrets/gitSecretsExample.Jenkinsfile delete mode 100755 tools/nhsd-git-secrets/install-linux.sh delete mode 100644 tools/nhsd-git-secrets/install-windows.ps1 delete mode 100644 tools/nhsd-git-secrets/nhsd-git-secrets.dockerfile delete mode 100644 tools/nhsd-git-secrets/nhsd-rules-deny.txt delete mode 100755 tools/nhsd-git-secrets/pre-commit-mac.sh delete mode 100755 tools/nhsd-git-secrets/pre-commit.sh delete mode 100755 tools/nhsd-git-secrets/scan-repo-linux-mac.sh diff --git a/blueprints.md b/blueprints.md index 2cdd6531..20096b2d 100644 --- a/blueprints.md +++ b/blueprints.md @@ -11,4 +11,4 @@ Where possible this will be a set of fully working components / solutions you ca | [Purging commits on GitHub](practices/guides/commit-purge.md) | Instructions | Mandatory | Published | | [Signing commits on GitHub](practices/guides/commit-signing.md) | Instructions | Recommended | Published | | [Automating performance-test decisions using APDEX](practices/performance-testing.md) | Instructions | Recommended | Published | -| [Scanning source code for secrets](tools/nhsd-git-secrets/README.md) | Full solution | Recommended | Published | +| [Scanning source code for secrets](tools/gitleaks.md) | Instructions | Recommended | Published | diff --git a/practices/guides/commit-purge.md b/practices/guides/commit-purge.md index 5562cae6..63b2fe12 100644 --- a/practices/guides/commit-purge.md +++ b/practices/guides/commit-purge.md @@ -8,7 +8,7 @@ Engineering teams must take all necessary precautions to ensure that sensitive d Teams must also review their Near Miss reporting requirements and ensure that necessary steps are taken. -Teams must ensure that a [Secret scanner](https://github.com/NHSDigital/software-engineering-quality-framework/tree/main/tools/nhsd-git-secrets) is enabled on their repositories. +Teams must ensure that a secret scanner such as [GitLeaks](../../tools/gitleaks.md) is enabled on their repositories. Teams must also ensure that developers follow standard processes to ensure any pre-commit hooks are enabled and enforced to reduce the risk of sensitive information being accidentally published. Teams should also contribute to the rule set for these tools to ensure secrets are identified correctly. diff --git a/practices/security.md b/practices/security.md index 421e8fd4..296b5dfa 100644 --- a/practices/security.md +++ b/practices/security.md @@ -79,7 +79,7 @@ The remainder of this page gives more detailed and specific recommendations to b - Prevent **[clickjacking](https://sudo.pagerduty.com/for_engineers/#clickjacking)** with `X-Frame-Options` - Be careful not to **leak information**, e.g. error messages, stack traces, headers - **Don't trust** yourself or others! - - Code must be automatically scanned for secrets or other sensitive data. We have a [secret scanning guide](../tools/nhsd-git-secrets/README.md) that describes how to best achieve this using our preferred tooling, and also includes examples to get you started. + - Code must be automatically scanned for secrets or other sensitive data. Use our [GitLeaks guidance](../tools/gitleaks.md) to implement local and pipeline scanning with the organisation's preferred tooling. - Be wary of any 3rd party JavaScript included on the page, e.g. for A/B testing, analytics - Pin dependencies at known versions to avoid unexpected updates - Scan dependencies for vulnerabilities, e.g. using [OWASP Dependency Check](https://owasp.org/www-project-dependency-check/) or [Snyk](https://snyk.io/) diff --git a/quality-checks.md b/quality-checks.md index c7bcc197..f3ff89c6 100644 --- a/quality-checks.md +++ b/quality-checks.md @@ -54,7 +54,7 @@ We recommend tracking progress on an Engineering Quality dashboard, for example: | Duplicate code scan | Maintainability | Universal | Check whether the same code is used in multiple places | Duplicate code increases the cost and risk of making software changes and will increase exponentially over time | Must use SonarQube's default [rules, profiles and gateways](tools/sonarqube.md#default-quality-gates)

Build pipeline must fail if gateway is not met | [SonarQube](tools/sonarqube.md) | | | Integration test | Functionality | Universal | Check interactions with other components and dependant systems. e.g. across microservices, authentication layers, database, third-party systems. Ideally includes full end-to-end testing across all components | When components are developed in isolation, it's vital that we regularly test them working together. Changes in one component can break the whole system | Builds fail if any tests fail | | | | Performance test | Resilience | Contextual | Check whether application performance is acceptable at different levels of load. This may include:
*Baseline test (one-off) - to establish how the system interacts*
*Smoke test - to establish that the key functionality is working before performing longer tests*
*Regression test - run a suite of repeatable test cases to validate existing functionality*
Load test - to understand the system behaviour under an expected load | Without these tests, we don't know how load will affect the performance of the application, or whether existing functionality has been broken. | The performance of the system must be scored at build time so that it can be tracked

Build pipeline must fail if performance does not meet the acceptable level | One option is to use [APDEX](https://en.wikipedia.org/wiki/Apdex) to quantify performance to a numeric value, and to use this value to pass/fail the build pipeline | [Performance test practices](./practices/performance-testing.md) | -| Secret scan | Security | Universal | Check for secrets (e.g. passwords, IP addresses, etc) accidentally included in software code | This protects us against accidentally leaking secrets (in source code) which could compromise the security of the application | Review the list of patterns and update it as necessary

... then:

Full repository (including history) scan, and all secrets removed

And:

Local (on developer laptop) scanning to block commits containing the patterns

And:

Server-side scanning within the code repository for new commits containing the patterns | [nhsd-git-secrets](tools/nhsd-git-secrets/) | | +| Secret scan | Security | Universal | Check for secrets (e.g. passwords, API keys, certificates or tokens) accidentally included in software code | This protects us against accidentally leaking secrets in source code, commit history, logs and configuration, which could compromise the security of the application | Review the detection rules and exclusions regularly

... then:

Full repository (including history) scan, and all secrets removed

And:

Local scanning to block commits containing the patterns

And:

Server-side scanning within the code repository for new commits containing the patterns | [GitLeaks guidance](tools/gitleaks.md) | | | Security scan | Security | Universal | Check for indications of possible security issues (for example injection weaknesses) | This gives fast feedback about security issues.

Code analysis is not as thorough as security testing in terms of finding complex weaknesses or issues that only manifest themselves at runtime, but it has much greater coverage. It's a better option for finding simple weaknesses and it's much quicker to execute.

Security code analysis and security testing are both important to achieve rapid and thorough security testing. | If using SonarQube, must use SonarQube's default [rules, profiles and gateways](tools/sonarqube.md#default-quality-gates)

Build pipeline must fail if gateway is not met | One option is [SonarQube](tools/sonarqube.md). For the purpose of security code analysis, Developer Edition or higher is required as it includes advanced OWASP scanning. | | | Security test | Security | Contextual | Check for security issues (for example injection weaknesses) | More thorough than security code scanning, but much slower to execute, so both are important to achieve both rapid and thorough security testing | | | | | Soak test | Resilience | Contextual | Check whether sustained heavy load for a significantly extended period causes a problem such as memory leaks, loss of instances, database failovers etc. | Without this test, we don't know if application performance will suffer under prolonged heavy load, how stable the system is, how it performs without interventions. | | | | diff --git a/tools/gitleaks.md b/tools/gitleaks.md new file mode 100644 index 00000000..92a86082 --- /dev/null +++ b/tools/gitleaks.md @@ -0,0 +1,80 @@ +# GitLeaks guidance + +GitLeaks is the organisation's preferred tool for scanning repositories for accidentally committed secrets. + +## Why secrets scanning matters + +Secret scanning should cover two separate risks: + +1. Secrets that already exist in repository history. +2. New secrets being introduced through day-to-day development. + +Teams should treat any discovered secret as compromised, revoke or rotate it, and then remove it from Git history where necessary. See [Guidance for removing sensitive data from GitHub](../practices/guides/commit-purge.md). + +## Minimum expectations + +Use GitLeaks to enforce all of the following: + +1. A full repository history scan before onboarding the tool. +2. Local scanning before code is pushed or merged. +3. CI scanning on every pull request and on the default branch. +4. Regular review of custom rules, allowlists and exclusions. + +## Getting started + +Install GitLeaks using the package manager or distribution method recommended for your platform in the official project documentation. + +Typical verification commands are: + +```bash +gitleaks version +gitleaks git --redact --verbose --log-opts="--all" +gitleaks dir . --redact --verbose +``` + +Use `gitleaks git` when you need to inspect commit history. Use `gitleaks dir` when you want to scan the current working tree. + +## Local developer workflow + +Teams should wire GitLeaks into local development so secrets are caught before they are pushed. + +One option is to use `pre-commit`: + +```yaml +repos: + - repo: https://github.com/gitleaks/gitleaks + rev: v8.24.2 + hooks: + - id: gitleaks +``` + +If your team uses another hook manager, apply the same principle: run GitLeaks automatically before changes leave a developer workstation. + +## CI integration + +Run GitLeaks in CI so every repository has a server-side control as well as local checks. + +Example GitHub Actions step: + +```yaml +- name: Run GitLeaks + run: gitleaks git --redact --verbose --log-opts="--all" +``` + +If you maintain a custom configuration, store it in the repository and reference it explicitly in local and CI commands so the same rules apply everywhere. + +## Rule management + +Start with the default GitLeaks ruleset and add repository-specific rules only where needed. + +When adding allowlists or exclusions: + +1. Keep them as narrow as possible. +2. Record why they are needed. +3. Review them regularly and remove them when no longer justified. + +## Further reading + +- [GitLeaks](https://github.com/gitleaks/gitleaks) +- [GitLeaks configuration](https://github.com/gitleaks/gitleaks#configuration) +- [GitLeaks pre-commit integration](https://github.com/gitleaks/gitleaks#pre-commit) diff --git a/tools/nhsd-git-secrets/.gitallowed-base b/tools/nhsd-git-secrets/.gitallowed-base deleted file mode 100644 index 6d5fae65..00000000 --- a/tools/nhsd-git-secrets/.gitallowed-base +++ /dev/null @@ -1,9 +0,0 @@ -.*git-secrets/.*:* -.*terraform.tfstate.*:* -.*.svg:* -.*.jquery.*.js:* -.*engine_version* -.*127.0.0.1* -.*assembly: AssemblyVersion* -.*assembly: AssemblyFileVersion* -.*Version=* diff --git a/tools/nhsd-git-secrets/.pre-commit-config.example.yaml b/tools/nhsd-git-secrets/.pre-commit-config.example.yaml deleted file mode 100644 index a18051fd..00000000 --- a/tools/nhsd-git-secrets/.pre-commit-config.example.yaml +++ /dev/null @@ -1,8 +0,0 @@ -repos: -- repo: local - hooks: - - id: git-secrets - name: Git Secrets - description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. - entry: 'nhsd-git-secrets/pre-commit-mac.sh' - language: script diff --git a/tools/nhsd-git-secrets/README-linux-workstation.md b/tools/nhsd-git-secrets/README-linux-workstation.md deleted file mode 100644 index 705fbdb0..00000000 --- a/tools/nhsd-git-secrets/README-linux-workstation.md +++ /dev/null @@ -1,65 +0,0 @@ -# Setup (Linux/WSL only) - -## Setup - -Make sure to copy the `nhd-git-secrets` folder into the root of the project repository, and then navigate the terminal to the repo root - -* `cd nhsd-git-secrets` -* `cp .gitallowed-base ../.gitallowed` -* `./install-linux.sh` - -Next time you do a commit the git secrets hook should be invoked. - -### Troubleshooting - -You should have 3 new files in the `.git/hooks` folder in the repository. If these are not present, then make sure you have ran the install script and that this script ran successfully. -If you get an output containing: - -```bash -[3/5] Adding Git Hooks -./install-linux.sh: line 18: git-secrets: command not found -``` - -* Run this command anywhere: `export PATH="$HOME/git-secrets/bin":$PATH` -* Then re-run the install script (`./nhsd-git-secrets/install-linux.sh`) - -### Custom configuration (per repo / per service team) - -* Add individual regex expressions to the existing `repo_root/nhsd-git-secrets-nhsd-rules-deny.txt` file -* Or, create your own file for regex rules and add it as a provider within the [pre-commit script](pre-commit.sh) e.g.: - `./nhsd-git-secrets/git-secrets --add-provider -- cat nhsd-git-secrets/nhsd-rules-deny.txt` - -* Add file/dir excludes within the `repo_root/.gitallowed`, e.g. `.*terraform.tfstate.*:*` - -* Control full scan vs staged files scan within [pre-commit script](pre-commit.sh) by commenting/uncommenting the mode to run e.g.: - - ```bash - # Just scan the files changed in this commit - # ./nhsd-git-secrets/git-secrets --pre_commit_hook - - # Scan all files within this repo for this commit - ./nhsd-git-secrets/git-secrets --scan - ``` - -## Testing and Usage - -To test that the hooks have been enabled correctly: - -* make sure you have done git add if you have changed anything within git-Secrets -* create a file containing one or more patterns from the `git-secrets/nhsd-rules-deny.txt` file (e.g.: `password = “test”`) -* stage and commit the file - -You should see an output similar to: `“[ERROR] Matched one or more prohibited patterns…”`. - -**Note** This message may appear differently depending on the tools used. - -> If you have a *false-positive* match, and your changes do not contain sensitive credentials then you can add the `--no-verify` flag to the commit command to **skip the checking**. - -## Docker version - -Alternatively, you might find this [dockerfile](nhsd-git-secrets.dockerfile) convenient, which: - -1. Copies your source code into a docker image -1. Downloads latest version of the secret scanner tool -1. Downloads latest regex patterns from software-engineering-quality-framework -1. Runs a scan diff --git a/tools/nhsd-git-secrets/README-mac-workstation.md b/tools/nhsd-git-secrets/README-mac-workstation.md deleted file mode 100644 index 62ad078f..00000000 --- a/tools/nhsd-git-secrets/README-mac-workstation.md +++ /dev/null @@ -1,65 +0,0 @@ -# Setup (Mac only) - -Ensure you have the [pre-commit framework](https://pre-commit.com/) set up first. - -## TL;DR - -* `pre-commit --version` (to check whether it's installed) -* `brew install pre-commit` -* `cd ` -* `pre-commit install` - -## Setup - -Make sure to copy the nhd-git-secrets folder into the root of the project repository, and then navigate the terminal to the repo root - -* `cd nhsd-git-secrets` -* `cp git-secrets ..` -* `cp .gitallowed-base ../.gitallowed` - -Then if you don't have an existing .pre-commit-config.yaml in the root of your repo: - -* `cp .pre-commit-config.example.yaml ../.pre-commit-config.yaml` - -Otherwise integrate the git-secrets example config into your existing file. - -Then: - -* `cd ..` -* `pre-commit install` -* `git add .pre-commit-config.yaml` - -Next time you do a commit the git secrets hook should be invoked. - -## Custom configuration (per repo / per service team) - -* Add individual regex expressions to the existing `repo_root/nhsd-git-secrets-nhsd-rules-deny.txt` file -* Or, create your own file for regex rules and add it as a provider within the [pre-commit script](pre-commit.sh) e.g.: - - `git secrets --add-provider -- cat git-secrets/nhsd-rules-deny.txt` - -* Add file/dir excludes within the `repo_root/.gitallowed` file, e.g. `.*terraform.tfstate.*:*` - -* Control full scan vs staged files scan within [pre-commit (mac) script](pre-commit-mac.sh) by commenting/uncommenting the mode to run e.g.: - - ```bash - # Just scan the files changed in this commit - # git secrets --pre_commit_hook - - # Scan all files within this repo for this commit - git secrets --scan - ``` - -## Testing-a - -* make sure you have done git add if you have changed anything within git-Secrets -* Run: `pre-commit run git-secrets` - -## Docker version - -Alternatively, you might find this [dockerfile](nhsd-git-secrets.dockerfile) convenient, which: - -1. Copies your source code into a docker image -1. Downloads latest version of the secret scanner tool -1. Downloads latest regex patterns from software-engineering-quality-framework -1. Runs a scan diff --git a/tools/nhsd-git-secrets/README-windows-workstation.md b/tools/nhsd-git-secrets/README-windows-workstation.md deleted file mode 100644 index d6225196..00000000 --- a/tools/nhsd-git-secrets/README-windows-workstation.md +++ /dev/null @@ -1,61 +0,0 @@ -# Setup (Windows only) - -## Prerequisites - -Ensure you have permissions to exceute powershell scripts. If this is not possible, then you may be able to use WSL instead and setup git-secrets following the [guide for linux](README-linux-workstation.md). - -## Setup - -Make sure to copy the `nhd-git-secrets` folder into the root of the project repository, and then navigate the terminal (powershell) to the repo root - -* `cd .\nhsd-git-secrets\` -* `cp .\gitallowed-base ../.gitallowed` -* `.\install-windows.ps1` - -Next time you do a commit the git secrets hook should be invoked. - -### Troubleshooting - -You should have 3 new files in the `.git/hooks` folder in the repository. If these are not present, then make sure you have ran the install script. - -### Custom configuration (per repo / per service team) - -* Add individual regex expressions to the existing `repo_root/nhsd-git-secrets-nhsd-rules-deny.txt` file -* Or, create your own file for regex rules and add it as a provider within the [pre-commit script](pre-commit.sh) e.g.: - - `./nhsd-git-secrets/git-secrets --add-provider -- cat nhsd-git-secrets/nhsd-rules-deny.txt` - -* Add file/dir excludes within the `repo_root/.gitallowed`, e.g. `.*terraform.tfstate.*:*` - -* Control full scan vs staged files scan within [pre-commit script](pre-commit.sh) by commenting/uncommenting the mode to run e.g.: - - ```bash - # Just scan the files changed in this commit - # ./nhsd-git-secrets/git-secrets --pre_commit_hook - - # Scan all files within this repo for this commit - ./nhsd-git-secrets/git-secrets --scan - ``` - -## Testing and Usage - -To test that the hooks have been enabled correctly: - -* make sure you have done git add if you have changed anything within git-Secrets -* create a file containing one or more patterns from the `git-secrets/nhsd-rules-deny.txt` file (e.g.: `password = “test”`) -* stage and commit the file - -You should see an output similar to: `“[ERROR] Matched one or more prohibited patterns…”`. - -**Note** This message may appear differently depending on the tools used. - -> If you have a *false-positive* match, and your changes do not contain sensitive credentials then you can add the `--no-verify` flag to the commit command to **skip the checking**. - -## Docker version - -Alternatively, you might find this [dockerfile](nhsd-git-secrets.dockerfile) convenient, which: - -1. Copies your source code into a docker image -1. Downloads latest version of the secret scanner tool -1. Downloads latest regex patterns from software-engineering-quality-framework -1. Runs a scan diff --git a/tools/nhsd-git-secrets/README.md b/tools/nhsd-git-secrets/README.md deleted file mode 100644 index 4563b778..00000000 --- a/tools/nhsd-git-secrets/README.md +++ /dev/null @@ -1,60 +0,0 @@ -# Git-Secrets examples - -This folder comprises examples for implementing AWSLabs Git-Secrets, which is our default implementation for [secrets scanning](../../quality-checks.md). As with any default, we expect teams to resolve any caveats as they best see fit, and of course to contribute to these examples. - -## Why secrets scanning - -Although we might be re-stating the obvious here, there's two main goals to consistent secrets scanning: - -1. Remove any secrets that may have been checked into the codebase in the past. -2. Prevent any new secrets from making it into the codebase. - -Essentially, we want to avoid the NHS facing [potentially dire consequences](https://www.zdnet.com/article/data-of-243-million-brazilians-exposed-online-via-website-source-code/) due to exposure of secrets. - -## How to get started - -If your team isn't doing secrets scanning at all yet, the fundamental first step is to understand the current state of the art. Use the following guides to set up and run Git-Secrets for a nominated team member: - -* [macOS](README-mac-workstation.md) -* [Linux/WSL](README-linux-workstation.md) -* [Windows](README-windows-workstation.md) - -Run the tooling, and ascertain whether there's any immediate actions to be taken. - -## Ongoing checks - -Once you've verified there's no urgent actions on your code, the next steps towards getting to green are: - -1. Ensure every team member is doing local scans. Stopping secrets before code has been committed is cheap, removing them from git history is expensive. -2. Run these same scripts as part of your deployment pipelines as a second line of defence. - -## Other ways of keeping credentials out of your code - -### Consider using OIDC Authentication instead of passwords - -OpenID Connect allows federated authentication from pipeline workflows to AWS and Azure without storing credentials in repository secrets at all, so no expiry to manage. GitHub documentation for achieving this for: - -* [AWS](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) -* [Azure](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure) -* [Google](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform) - -Configuration for OIDC is light. See the below example GitHub Actions workflow excerpt which connects to both AWS and Azure: - -```yaml -steps: - - name: Checkout - uses: actions/checkout@v3 -​ - - name: Configure AWS STS credentials via OIDC - uses: aws-actions/configure-aws-credentials@v1 - with: - role-to-assume: ${{ secrets.AWS_ROLE_ID }} - aws-region: eu-west-2 -​ - - name: Configure Azure identity token via OIDC - uses: azure/login@v1 - with: - client-id: ${{ secrets.AZ_CLIENT_ID }} - tenant-id: ${{ secrets.AZ_TENANT_ID }} - allow-no-subscriptions: true - ``` diff --git a/tools/nhsd-git-secrets/full-history-scan.sh b/tools/nhsd-git-secrets/full-history-scan.sh deleted file mode 100755 index b166806f..00000000 --- a/tools/nhsd-git-secrets/full-history-scan.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/env bash - -cd .. - -export PATH=$PATH:. - -# # These only need to be run once per workstation/slave/agent but are included to try and ensure they are present -./git-secrets --register-aws -./git-secrets --add-provider -- cat nhsd-git-secrets/nhsd-rules-deny.txt -./git-secrets --add --allowed '.*git-secrets/.*:*' -./git-secrets --add --allowed '.*terraform.tfstate.*:*' - -# Scan all files within this repo for this commit -./git-secrets --scan-history diff --git a/tools/nhsd-git-secrets/git-secrets b/tools/nhsd-git-secrets/git-secrets deleted file mode 100755 index ceda0fa4..00000000 --- a/tools/nhsd-git-secrets/git-secrets +++ /dev/null @@ -1,358 +0,0 @@ -#!/usr/bin/env bash -# Copyright 2010-2013 Amazon.com, Inc. or its affiliates. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"). -# You may not use this file except in compliance with the License. -# A copy of the License is located at -# -# http://aws.amazon.com/apache2.0 -# -# or in the "license" file accompanying this file. This file is distributed -# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either -# express or implied. See the License for the specific language governing -# permissions and limitations under the License. - -NONGIT_OK=1 OPTIONS_SPEC="\ -git secrets --scan [-r|--recursive] [--cached] [--no-index] [--untracked] [...] -git secrets --scan-history -git secrets --install [-f|--force] [] -git secrets --list [--global] -git secrets --add [-a|--allowed] [-l|--literal] [--global] -git secrets --add-provider [--global] [arguments...] -git secrets --register-aws [--global] -git secrets --aws-provider [] --- -scan Scans for prohibited patterns -scan-history Scans repo for prohibited patterns -install Installs git hooks for Git repository or Git template directory -list Lists secret patterns -add Adds a prohibited or allowed pattern, ensuring to de-dupe with existing patterns -add-provider Adds a secret provider that when called outputs secret patterns on new lines -aws-provider Secret provider that outputs credentials found in an ini file -register-aws Adds common AWS patterns to the git config and scans for ~/.aws/credentials -r,recursive --scan scans directories recursively -cached --scan scans searches blobs registered in the index file -no-index --scan searches files in the current directory that is not managed by Git -untracked In addition to searching in the tracked files in the working tree, --scan also in untracked files -f,force --install overwrites hooks if the hook already exists -l,literal --add and --add-allowed patterns are escaped so that they are literal -a,allowed --add adds an allowed pattern instead of a prohibited pattern -global Uses the --global git config -commit_msg_hook* commit-msg hook (internal only) -pre_commit_hook* pre-commit hook (internal only) -prepare_commit_msg_hook* prepare-commit-msg hook (internal only)" - -# Include the git setup script. This parses and normalized CLI arguments. -. "$(git --exec-path)"/git-sh-setup - -load_patterns() { - git config --get-all secrets.patterns - # Execute each provider and use their output to build up patterns - git config --get-all secrets.providers | while read -r cmd; do - # Only split words on '\n\t ' and strip "\r" from the output to account - # for carriage returns being added on Windows systems. Note that this - # trimming is done before the test to ensure that the string is not empty. - local result="$(export IFS=$'\n\t '; $cmd | tr -d $'\r')" - # Do not add empty lines from providers as that would match everything. - if [ -n "${result}" ]; then - echo "${result}" - fi - done -} - -load_allowed() { - git config --get-all secrets.allowed - local gitallowed="$(git rev-parse --show-toplevel)/.gitallowed" - if [ -e "$gitallowed" ]; then - cat $gitallowed | awk 'NF && $1!~/^#/' - fi -} - -# load patterns and combine them with | -load_combined_patterns() { - local patterns=$(load_patterns) - local combined_patterns='' - for pattern in $patterns; do - combined_patterns=${combined_patterns}${pattern}"|" - done - combined_patterns=${combined_patterns%?} - echo $combined_patterns -} - -# Scans files or a repo using patterns. -scan() { - local files=("${@}") options="" - [ "${SCAN_CACHED}" == 1 ] && options+="--cached" - [ "${SCAN_UNTRACKED}" == 1 ] && options+=" --untracked" - [ "${SCAN_NO_INDEX}" == 1 ] && options+=" --no-index" - # Scan using git-grep if there are no files or if git options are applied. - if [ ${#files[@]} -eq 0 ] || [ ! -z "${options}" ]; then - output=$(git_grep $options "${files[@]}") - else - output=$(regular_grep "${files[@]}") - fi - process_output $? "${output}" -} - -# Scans through history using patterns -scan_history() { - # git log does not support multiple patterns, so we need to combine them - local combined_patterns=$(load_combined_patterns) - [ -z "${combined_patterns}" ] && return 0 - # Looks for differences matching the patterns, reduces the number of revisions to scan - local to_scan=$(git log --all -G"${combined_patterns}" --pretty=%H) - # Scan through revisions with findings to normalize output - output=$(GREP_OPTIONS= LC_ALL=C git grep -nwHEI "${combined_patterns}" $to_scan) - process_output $? "${output}" -} - -# Performs a git-grep, taking into account patterns and options. -# Note: this function returns 1 on success, 0 on error. -git_grep() { - local options="$1"; shift - local files=("${@}") combined_patterns=$(load_combined_patterns) - - [ -z "${combined_patterns}" ] && return 1 - GREP_OPTIONS= LC_ALL=C git grep -nwHEI ${options} "${combined_patterns}" -- "${files[@]}" -} - -# Performs a regular grep, taking into account patterns and recursion. -# Note: this function returns 1 on success, 0 on error. -regular_grep() { - local files=("${@}") patterns=$(load_patterns) action='skip' - [ -z "${patterns}" ] && return 1 - [ ${RECURSIVE} -eq 1 ] && action="recurse" - echo "DEBUG - patterns are: ${patterns}" - GREP_OPTIONS= LC_ALL=C grep -d "${action}" -nwHEI "${patterns}" "${files[@]}" -} - -# Process the given status ($1) and output variables ($2). -# Takes into account allowed patterns, and if a bad match is found, -# prints an error message and exits 1. -process_output() { - local status="$1" output="$2" - local allowed=$(load_allowed) - case "$status" in - 0) - [ -z "${allowed}" ] && echo "${output}" >&2 && return 1 - # Determine with a negative grep if the found matches are allowed - echo "${output}" | GREP_OPTIONS= LC_ALL=C grep -Ev "${allowed}" >&2 \ - && return 1 || return 0 - ;; - 1) return 0 ;; - *) exit $status - esac -} - -# Calls the given scanning function at $1, shifts, and passes to it $@. -# Exit 0 if success, otherwise exit 1 with error message. -scan_with_fn_or_die() { - local fn="$1"; shift - $fn "$@" && exit 0 - echo >&2 - echo "[ERROR] Matched one or more prohibited patterns" >&2 - echo >&2 - echo "Possible mitigations:" >&2 - echo "- Mark false positives as allowed using: git config --add secrets.allowed ..." >&2 - echo "- Mark false positives as allowed by adding regular expressions to .gitallowed at repository's root directory" >&2 - echo "- List your configured patterns: git config --get-all secrets.patterns" >&2 - echo "- List your configured allowed patterns: git config --get-all secrets.allowed" >&2 - echo "- List your configured allowed patterns in .gitallowed at repository's root directory" >&2 - echo "- Use --no-verify if this is a one-time false positive" >&2 - exit 1 -} - -# Scans a commit message, passed in the path to a file. -commit_msg_hook() { - scan_with_fn_or_die "scan" "$1" -} - -# Scans all files that are about to be committed. -pre_commit_hook() { - SCAN_CACHED=1 - local files=() file found_match=0 rev="4b825dc642cb6eb9a060e54bf8d69288fbee4904" - # Diff against HEAD if this is not the first commit in the repo. - git rev-parse --verify HEAD >/dev/null 2>&1 && rev="HEAD" - # Filter out deleted files using --diff-filter - while IFS= read -r file; do - [ -n "$file" ] && files+=("$file") - done <<< "$(git diff-index --diff-filter 'ACMU' --name-only --cached $rev --)" - scan_with_fn_or_die "scan" "${files[@]}" -} - -# Determines if merging in a commit will introduce tainted history. -prepare_commit_msg_hook() { - case "$2,$3" in - merge,) - local git_head=$(env | grep GITHEAD) # e.g. GITHEAD_=release/1.43 - local sha="${git_head##*=}" # Get just the SHA - local branch=$(git symbolic-ref HEAD) # e.g. refs/heads/main - local dest="${branch#refs/heads/}" # cut out "refs/heads" - git log "${dest}".."${sha}" -p | scan_with_fn_or_die "scan" - - ;; - esac -} - -install_hook() { - local path="$1" hook="$2" cmd="$3" dest - # Determines the approriate path for a hook to be installed - if [ -d "${path}/hooks/${hook}.d" ]; then - dest="${path}/hooks/${hook}.d/git-secrets" - else - dest="${path}/hooks/${hook}" - fi - [ -f "${dest}" ] && [ "${FORCE}" -ne 1 ] \ - && die "${dest} already exists. Use -f to force" - echo "#!/usr/bin/env bash" > "${dest}" - echo "git secrets --${cmd} -- \"\$@\"" >> "${dest}" - chmod +x "${dest}" - say "$(tput setaf 2)✓$(tput sgr 0) Installed ${hook} hook to ${dest}" -} - -install_all_hooks() { - install_hook "$1" "commit-msg" "commit_msg_hook" - install_hook "$1" "pre-commit" "pre_commit_hook" - install_hook "$1" "prepare-commit-msg" "prepare_commit_msg_hook" -} - -# Adds a git config pattern, ensuring to de-dupe -add_config() { - local key="$1"; shift - local value="$@" - if [ ${LITERAL} -eq 1 ]; then - value=$(sed 's/[\.|$(){}?+*^]/\\&/g' <<< "${value}") - fi - if [ ${GLOBAL} -eq 1 ]; then - git config --global --get-all $key | grep -Fq "${value}" && return 1 - git config --global --add "${key}" "${value}" - else - git config --get-all $key | grep -Fq "${value}" && return 1 - git config --add "${key}" "${value}" - fi -} - -register_aws() { - # Reusable regex patterns - local aws="(AWS|aws|Aws)?_?" quote="(\"|')" connect="\s*(:|=>|=)\s*" - local opt_quote="${quote}?" - add_config 'secrets.providers' 'git-secrets --aws-provider' - add_config 'secrets.patterns' '(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}' - add_config 'secrets.patterns' "${opt_quote}${aws}(SECRET|secret|Secret)?_?(ACCESS|access|Access)?_?(KEY|key|Key)${opt_quote}${connect}${opt_quote}[A-Za-z0-9/\+=]{40}${opt_quote}" - add_config 'secrets.patterns' "${opt_quote}${aws}(ACCOUNT|account|Account)_?(ID|id|Id)?${opt_quote}${connect}${opt_quote}[0-9]{4}\-?[0-9]{4}\-?[0-9]{4}${opt_quote}" - add_config 'secrets.allowed' 'AKIAIOSFODNN7EXAMPLE' - add_config 'secrets.allowed' "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" - - if [[ $? == 0 ]]; then - echo 'OK' - fi - - exit $? -} - -aws_provider() { - local fi="$1" - [ -z "$fi" ] && fi=~/.aws/credentials - # Find keys and ensure that special characters are escaped. - if [ -f $fi ]; then - awk -F "=" '/aws_access_key_id|aws_secret_access_key/ {print $2}' $fi \ - | tr -d ' "' \ - | sed 's/[]\.|$(){}?+*^]/\\&/g' - fi -} - -# Ensures that the command is what was expected for an option. -assert_option_for_command() { - local expected_command="$1" - local option_name="$2" - if [ "${COMMAND}" != "${expected_command}" ]; then - die "${option_name} can only be supplied with the ${expected_command} subcommand" - fi -} - -declare COMMAND="$1" FORCE=0 RECURSIVE=0 LITERAL=0 GLOBAL=0 ALLOWED=0 -declare SCAN_CACHED=0 SCAN_NO_INDEX=0 SCAN_UNTRACKED=0 - -# Shift off the command name -shift 1 -while [ "$#" -ne 0 ]; do - case "$1" in - -f) - assert_option_for_command "--install" "-f|--force" - FORCE=1 - ;; - -r) - assert_option_for_command "--scan" "-r|--recursive" - RECURSIVE=1 - ;; - -a) - assert_option_for_command "--add" "-a|--allowed" - ALLOWED=1 - ;; - -l) - assert_option_for_command "--add" "-l|--literal" - LITERAL=1 - ;; - --cached) - assert_option_for_command "--scan" "--cached" - SCAN_CACHED=1 - ;; - --no-index) - assert_option_for_command "--scan" "--no-index" - SCAN_NO_INDEX=1 - ;; - --untracked) - assert_option_for_command "--scan" "--untracked" - SCAN_UNTRACKED=1 - ;; - --global) GLOBAL=1 ;; - --) shift; break ;; - esac - shift -done - -# Ensure that recursive is not applied with mutually exclusive options. -if [ ${RECURSIVE} -eq 1 ]; then - if [ ${SCAN_CACHED} -eq 1 ] \ - || [ ${SCAN_NO_INDEX} -eq 1 ] \ - || [ ${SCAN_UNTRACKED} -eq 1 ]; - then - die "-r|--recursive cannot be supplied with --cached, --no-index, or --untracked" - fi -fi - -case "${COMMAND}" in - -h|--help|--) "$0" -h; exit 0 ;; - --add-provider) add_config "secrets.providers" "$@" ;; - --register-aws) register_aws ;; - --aws-provider) aws_provider "$1" ;; - --commit_msg_hook|--pre_commit_hook|--prepare_commit_msg_hook) - ${COMMAND:2} "$@" - ;; - --add) - if [ ${ALLOWED} -eq 1 ]; then - add_config "secrets.allowed" "$1" - else - add_config "secrets.patterns" "$1" - fi - ;; - --scan) scan_with_fn_or_die "scan" "$@" ;; - --scan-history) scan_with_fn_or_die "scan_history" "$@" ;; - --list) - if [ ${GLOBAL} -eq 1 ]; then - git config --global --get-regex secrets.* - else - git config --get-regex secrets.* - fi - ;; - --install) - DIRECTORY="$1" - if [ -z "${DIRECTORY}" ]; then - DIRECTORY=$(git rev-parse --git-dir) || die "Not in a Git repository" - elif [ -d "${DIRECTORY}"/.git ]; then - DIRECTORY="${DIRECTORY}/.git" - fi - mkdir -p "${DIRECTORY}/hooks" || die "Could not create dir: ${DIRECTORY}" - install_all_hooks "${DIRECTORY}" - ;; - *) echo "Unknown option: ${COMMAND}" && "$0" -h ;; -esac diff --git a/tools/nhsd-git-secrets/gitSecretsExample.Jenkinsfile b/tools/nhsd-git-secrets/gitSecretsExample.Jenkinsfile deleted file mode 100644 index f249760f..00000000 --- a/tools/nhsd-git-secrets/gitSecretsExample.Jenkinsfile +++ /dev/null @@ -1,39 +0,0 @@ -pipeline { - - agent { - label 'jenkins-slave' - } - - options { - disableConcurrentBuilds() - buildDiscarder(logRotator(numToKeepStr: '15')) - } - - stages { - - stage("Scan Commit") { - steps { - script { - dir ("nhsd-git-secrets"){ - // Temporary '|| true' to stop pipeline failing, remove once detected secrets have been removed - sh ("./scan-repo-linux-mac.sh || true") - } - } - } - } - - // Disabled by default - this may take a few minutes to run - // stage("Scan git history") { - // steps { - // script { - // dir ("nhsd-git-secrets"){ - // sh ("./full-history-scan.sh") - // } - // } - // } - // } - - } - - -} diff --git a/tools/nhsd-git-secrets/install-linux.sh b/tools/nhsd-git-secrets/install-linux.sh deleted file mode 100755 index 0ead5408..00000000 --- a/tools/nhsd-git-secrets/install-linux.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/bash -echo "[1/5] Cloning Git Secrets" -installPath="$HOME/git-secrets-temp" -if [ -d "$installPath" ]; -then - echo "Git secrets already cloned" -else - git clone https://github.com/awslabs/git-secrets.git $installPath -fi - -echo "" && echo "[2/5] Installing Git Secrets and Adding to PATH" -pushd $installPath -make install PREFIX="$HOME/git-secrets" -echo 'export PATH="$HOME/git-secrets/bin":$PATH' >> ~/.bashrc -source ~/.bashrc -popd - -echo "" && echo "[3/5] Adding Git Hooks" -git-secrets --install -f - -echo "" && echo "[4/5] Removing Temp Git Secrets Repo" -rm -rf $installPath - -echo "" && echo "[5/5] Updating Pre-Commit Hook" -projectRoot=$(dirname $PWD) -preCommitHook="$projectRoot/.git/hooks/pre-commit" -hookScript="nhsd-git-secrets/pre-commit.sh" -replaceString='git secrets --pre_commit_hook -- "$@"' -sed -i -e "s,$replaceString,./$hookScript," "$preCommitHook" -chmod +x "$projectRoot/$hookScript" - -echo "" && echo "Git Secrets Installation Complete" diff --git a/tools/nhsd-git-secrets/install-windows.ps1 b/tools/nhsd-git-secrets/install-windows.ps1 deleted file mode 100644 index 2ac2b8fb..00000000 --- a/tools/nhsd-git-secrets/install-windows.ps1 +++ /dev/null @@ -1,55 +0,0 @@ -Write-Host "[1/6] Cloning Git Secrets" -$installPath = $($Env:USERPROFILE + "\git-secrets-temp") -if (-not (Test-Path $installPath)) -{ - git clone https://github.com/awslabs/git-secrets.git $installPath -} -else -{ - Write-Host "Git secrets already cloned" -} - -Write-Host "`n[2/6] Installing Git Secrets" -Push-Location $installPath -& ".\install.ps1" -Pop-Location - -Write-Host "`n[3/6] Adding Git Hooks" -git secrets --install - -Write-Host "`n[4/6] Removing Temp Git Secrets Repo" -Remove-Item $installPath -Recurse -Force - -Write-Host "`n[5/6] Adding Git Bash to PATH" -Write-Host "Checking if git bash already exists in path..." -$currentPath = [Environment]::GetEnvironmentVariable("PATH", "User") -$gitInstallDirectory = "C:\Program Files\Git\bin" -if ($currentPath -notlike "*$gitInstallDirectory*") -{ - Write-Host "Adding to path..." - $newPath = $currentPath - if (-not ($newPath.EndsWith(";"))) - { - $newPath = $newPath + ";" - } - $newPath = $newPath + $gitInstallDirectory - [Environment]::SetEnvironmentVariable("PATH", $newPath, "User") - Write-Host "Added to path" -} -else -{ - Write-Host "Already in Path" -} - -Write-Host "`n[6/6] Updating Pre-Commit Hook" -$projectRoot = Split-Path -Path $PSScriptRoot -Parent -$preCommitHook = $projectRoot + '\.git\hooks\pre-commit' -(Get-Content $preCommitHook) | ForEach-Object { - if ($_.ReadCount -eq 2) { - $_ -replace '^.*$','./nhsd-git-secrets/pre-commit.sh' - } else { - $_ - } -} | Set-Content $preCommitHook - -Write-Host "`nGit Secrets Installation Complete" \ No newline at end of file diff --git a/tools/nhsd-git-secrets/nhsd-git-secrets.dockerfile b/tools/nhsd-git-secrets/nhsd-git-secrets.dockerfile deleted file mode 100644 index 2a6c3cec..00000000 --- a/tools/nhsd-git-secrets/nhsd-git-secrets.dockerfile +++ /dev/null @@ -1,60 +0,0 @@ -################################################################################### -# -# Uses git secrets scanner to scan raw source code for secrets -# Same framework in the nhsd-git-secrets folder, but wrapped up in a docker image -# -# How to use: -# 1. Create yourself a ".gitallowed" file in the root of your project. -# 2. Add an allowed patterns to there -# 3. Add an additional providers that you want to use - uses AWS by default -# 4. "docker build" this docker file as part of your pipeline -# -# What is does: -# 1. Copies your source code into a docker image -# 2. Downloads latest version of the secret scanner tool -# 3. Downloads latest regex patterns from software-engineering-quality-framework -# 4. Runs a scan -# -################################################################################## - -FROM ubuntu:latest - -RUN echo "Installing required modules" -RUN apt-get update -RUN apt-get -y install curl git build-essential - -# By default, we copy the entire project into the dockerfile for secret scanning -# Tweak that COPY if you only want some of the source -RUN echo "Copying source files" -WORKDIR /secrets-scanner -COPY . source -RUN ls -l source - -RUN echo "Downloading secrets scanner" -RUN curl https://codeload.github.com/awslabs/git-secrets/tar.gz/master | tar -xz --strip=1 git-secrets-master - -RUN echo "Installing secrets scanner" -RUN make install - -# even though running secrets scanner on a folder, must still be in some kind of git repo -# for the git-secrets config to attach to something -# so init an empty git repo here -RUN echo "Configuring git" -WORKDIR /secrets-scanner/source -RUN git init - -RUN echo "Downloading regex files from engineering-framework" -RUN curl https://codeload.github.com/NHSDigital/software-engineering-quality-framework/tar.gz/main | tar -xz --strip=3 software-engineering-quality-framework-main/tools/nhsd-git-secrets/nhsd-rules-deny.txt - -RUN echo "Copying allowed secrets list" -COPY .gitallowed . -RUN echo .gitallowed - -# Register additional providers: adds AWS by default -RUN echo "Configuring secrets scanner" -RUN /secrets-scanner/git-secrets --register-aws -RUN /secrets-scanner/git-secrets --add-provider -- cat nhsd-rules-deny.txt - -# build will fail here, if secrets are found -RUN echo "Running scan..." -RUN /secrets-scanner/git-secrets --scan -r . diff --git a/tools/nhsd-git-secrets/nhsd-rules-deny.txt b/tools/nhsd-git-secrets/nhsd-rules-deny.txt deleted file mode 100644 index d3d970f8..00000000 --- a/tools/nhsd-git-secrets/nhsd-rules-deny.txt +++ /dev/null @@ -1,21 +0,0 @@ -https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8,12}/[a-zA-Z0-9_]{24} -amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} -ghp_[0-9a-zA-Z]{36} -gho_[0-9a-zA-Z]{36} -(ghu|ghs)_[0-9a-zA-Z]{36} -ghr_[0-9a-zA-Z]{76} -xox[baprs]-([0-9a-zA-Z]{10,48})? ------BEGIN\ ((EC|PGP|DSA|RSA|OPENSSH)\ )?PRIVATE KEY( BLOCK)?----- -AIza[0-9A-Za-z\\-_]{35} -'"type": "service_account"' -[a-z]{2}-[a-z-]*-[1,2,3]\.rds\.amazonaws\.com -rds\.[a-z]{2}-[a-z-]*-[1,2,3]\.amazonaws\.com -dynamodb\.[a-z]{2}-[a-z-]*-[1,2,3]\.amazonaws\.com -[a-z]{2}-[a-z-]*-[1,2,3]\.es\.amazonaws\.com -[a-z]*[1-3]\.cache\.amazonaws\.com ------BEGIN[[:blank:]]CERTIFICATE----- -[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4} -[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} -(CLIENT|client|Client)(_|\s)(SECRET|secret|Secret)\s*(:|=>|=)\s*("|')?(\{)?[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\})?("|')? -password\s*(=|:)\s*.+ -token\s*(=|:)\s*.+ diff --git a/tools/nhsd-git-secrets/pre-commit-mac.sh b/tools/nhsd-git-secrets/pre-commit-mac.sh deleted file mode 100755 index 456aa0d6..00000000 --- a/tools/nhsd-git-secrets/pre-commit-mac.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env bash - -# Note that this will be invoked by the git hook from the repo root, so cd .. isn't required - -# These only need to be run once per workstation but are included to try and ensure they are present -./git-secrets --add-provider -- cat nhsd-git-secrets/nhsd-rules-deny.txt - -# Just scan the files changed in this commit -./git-secrets --pre_commit_hook diff --git a/tools/nhsd-git-secrets/pre-commit.sh b/tools/nhsd-git-secrets/pre-commit.sh deleted file mode 100755 index 225f47dd..00000000 --- a/tools/nhsd-git-secrets/pre-commit.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env bash - -# Note that this will be invoked by the git hook from the repo root, so cd .. isn't required - -# These only need to be run once per workstation but are included to try and ensure they are present -./nhsd-git-secrets/git-secrets --add-provider -- cat nhsd-git-secrets/nhsd-rules-deny.txt - -# Just scan the files changed in this commit -./nhsd-git-secrets/git-secrets --pre_commit_hook diff --git a/tools/nhsd-git-secrets/scan-repo-linux-mac.sh b/tools/nhsd-git-secrets/scan-repo-linux-mac.sh deleted file mode 100755 index e06d74fc..00000000 --- a/tools/nhsd-git-secrets/scan-repo-linux-mac.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/usr/bin/env bash - -cd .. - -export PATH=$PATH:. - -# # These only need to be run once per workstation/slave/agent but are included to try and ensure they are present -./git-secrets --register-aws -./git-secrets --add-provider -- cat nhsd-git-secrets/nhsd-rules-deny.txt - -# Scan all files within this repo for this commit -./git-secrets --scan