search

Azure / ResourceModules

This repository includes a CI platform for and collection of mature and curated Bicep modules. The platform supports both ARM and Bicep and can be leveraged using GitHub actions as well as Azure DevOps pipelines.
https://aka.ms/carml
MIT License
724 stars 460 forks source link

[Feature Request]: Add credential scanning to the CICD process #2393

Open akata72 opened 1 year ago

akata72 commented 1 year ago

Description

It would have been nice to add some mechanism for secret scanning in the CICD setup. Both on the github and ado side;

fblix commented 1 year ago

integrated a sample over here: https://github.com/fblix/ResourceModules/actions/runs/3601328513

Next step would be to check the baseline file if all of the findings really are false-positives.

The baseline file location under /utilities/pipelines/credscan is still up for discussion. This is the included logic (will also be present on the associated branch):

name: '.Platform: RunCredScan'

on:
  workflow_dispatch:
  pull_request:
    branches:
      - main

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Install detect-secrets using pip
        run: pip install detect-secrets

      - name: Run detect-secrets tool
        run: |
          detect-secrets --version
          cp utilities/pipelines/credScan/.secrets.baseline .secrets.current
          detect-secrets scan --baseline .secrets.current $(find . -type f ! -name '.secrets.*' ! -path '*/.git*' ! -name 'readme.md')
          ls

      - name: Upload Secret Baseline as Artifact
        uses: actions/upload-artifact@v2
        with:
          name: secret-baseline
          path: utilities/pipelines/credScan/.secrets.baseline

      - name: Upload Findings from current run as Artifact
        uses: actions/upload-artifact@v2
        with:
          name: secret-current-run
          path: .secrets.current

      - name: Compare Results
        run: |
              list_secrets() { jq -r '.results | keys[] as $key | "\($key),\(.[$key] | .[] | .line_number)"' "$1" | sort; }

              if ! diff <(list_secrets utilities/pipelines/credScan/.secrets.baseline) <(list_secrets .secrets.current) >&2; then
                echo "Detected new secrets in the repo" >&2
                exit 1
              fi
akata72 commented 1 year ago

Thanks for the quick response. I assume we would need something similar on the ADO side, but potentially with a different set of tools/tasks.

fblix commented 1 year ago

We have a similar logic for ADO as well, got that one working as well. So it would be the same core tool that we utilize.