search

GitGuardian / ggshield

Find and fix 400+ types of hardcoded secrets and 70+ types of infrastructure-as-code misconfigurations.
https://gitguardian.com
MIT License
1.61k stars 142 forks source link

Document or create a configuration option to select hooked repositories globally #196

Open Gby56 opened 2 years ago

Gby56 commented 2 years ago

Is your feature request related to a problem? Please describe. This is more of a question first, but maybe there is an improvement to be done: is there a simple way to configure the global git pre-commit hook to only trigger on specific repository names ? Wildcard support would be appreciated 😎 It would be nice to have a config file, but doing it through the API would be better, to remotely enforce checks on all company laptops etc...

Describe the solution you'd like Something like a .config/gitguardian.yml config file where we would configure properties like:

precommit.scan.allowlist = *
precommit.scan.ignorelist = *test-repo*

Describe alternatives you've considered You can configure hooks per repository but it's not sustainable, it would be great to define an Org-level list of repositories where pre-commit is enabled, and disabled. Kudos if GGShield can fetch that configuration option from the API directly, meaning that the Org can just roll out the precommit hook, then configure it remotely too.

Additional context Add any other context or screenshots about the feature request here.

Gby56 commented 2 years ago

Seems that the config doc page has no notion of "global config" at the tool level, it's more of a scanning config, not a "usage of the tool" config https://docs.gitguardian.com/internal-repositories-monitoring/gg_shield/configuration

agateau-gg commented 2 years ago

Hi, that is an interesting question! Have you looked into using https://pre-commit.com/ as an alternative to the global hook? ggshield supports it, so you can configure it (and other tools) in all supported repositories.

Gby56 commented 2 years ago

Hi @agateau-gg ! I left a comment to https://github.com/pre-commit/pre-commit/issues/281 but I believe this really is not yet supported, I don't want to add "yet another .config file" in all the repositories, just a global local config, and tell it to not scan some repositories 🤔

Gby56 commented 2 years ago

No luck, seems like pre-commit is not maintained 😢 I found a simple way to create a global git hook pre-commit denylist anyways, it would definitely be improved with wildcard support, even better I could fetch some random API to get the denylist, but that's be nice to have directly in a GG API 😎 

REPONAME=$(git config --get remote.origin.url | cut -d '/' -f 4,5)
echo "pre-commit author is deaf"
echo "Current repository is $REPONAME"
IN_DENY=$(grep -Fxq $REPONAME ~/.config/gitguardian/denylist.txt)
IN_ALLOW=$(grep -Fxq $REPONAME ~/.config/gitguardian/allowlist.txt)

if $IN_DENY
then
    echo "$REPONAME is not going to be scanned"
else
    echo "$REPONAME is going to be scanned"
fi
agateau-gg commented 2 years ago

Great to hear you found an alternative solution! Going to forward your request internally, to see if this is something we want to tackle.

Gby56 commented 2 years ago

Cool ! It would be a nice feature yeah, you could even handle deeper configuration options per repository/team in theory, this is just a simple filtering

agateau-gg commented 2 years ago

Got some feedback: this is likely going to be integrated as part of some ongoing work we are doing to improve the global configuration. I can't give you an ETA though, so let's just keep this issue open for now.