search

IBM / detect-secrets

An enterprise friendly way of detecting and preventing secrets in code.
Apache License 2.0
74 stars 46 forks source link

expose 2 redhat ubi containers #70

Closed tefiggins closed 2 years ago

tefiggins commented 2 years ago

expose 2 redhat ubi containers

detect-secrets-redhat-ubi-custom

tefiggins@tefigginss-MacBook-Pro detect-secrets % docker run  -it -a stdout --rm -v $(pwd):/code --env BASELINE=timtest.baseline  --env FAIL-ON-UNAUDITED=TRUE   git-defenders/detect-secrets-redhat-ubi-custom  
[ Starting Detect Secrets run ]

...using baseline: timtest.baseline
...skip scan with baseline update: false
...output json: false
...omit instructions: false
...fail on live: true
...fail on unaudited: true
...fail on audited real: true

Scanning code directory (docker volume mounted to /code) and updating baseline file timtest.baseline ... 

Running report: Baseline timtest.baseline - Options:  --fail-on-live --fail-on-unaudited --fail-on-audited-real

10 potential secrets in timtest.baseline were reviewed. Found 0 live secrets, 1 unaudited secret and 1 secret that was audited as real.

Failed Condition    Secret Type              Filename                                 Line
------------------  -----------------------  -------------------------------------  ------
Unaudited           Private Key              detect_secrets/plugins/private_key.py      52
Audited as real     Hex High Entropy String  docs/audit.md                              88

Failed conditions:

        - Unaudited secrets were found

                Run detect-secrets audit timtest.baseline, and audit all potential secrets.

        - Audited true secrets were found

                If any active secrets meet this condition, revoke them. Then, remove secrets that were audited as real from the codebase and run detect-secrets scan --update timtest.baseline to re-scan.

For additional help, run detect-secrets audit --help.

[ Ending Detect Secrets - run failed ]

detect-secrets-redhat-ubi

tefiggins@tefigginss-MacBook-Pro detect-secrets % docker run  -it -a stdout --rm -v $(pwd):/code  git-defenders/detect-secrets-redhat-ubi audit --report  --fail-on-unaudited --fail-on-audited-real  --fail-on-live  timtest.baseline

10 potential secrets in timtest.baseline were reviewed. Found 0 live secrets, 1 unaudited secret and 1 secret that was audited as real.

Failed Condition    Secret Type              Filename                                 Line
------------------  -----------------------  -------------------------------------  ------
Unaudited           Private Key              detect_secrets/plugins/private_key.py      52
Audited as real     Hex High Entropy String  docs/audit.md                              88

Failed conditions:

        - Unaudited secrets were found

                Run detect-secrets audit timtest.baseline, and audit all potential secrets.

        - Audited true secrets were found

                If any active secrets meet this condition, revoke them. Then, remove secrets that were audited as real from the codebase and run detect-secrets scan --update timtest.baseline to re-scan.

For additional help, run detect-secrets audit --help.

tefiggins@tefigginss-MacBook-Pro detect-secrets %
tefiggins commented 2 years ago

In other words decided to expose the stepping stone container -- renaming it from cil-redhat-ubi to detect-secrets-redhat-ubi (and allowing direct access to detect secrets) and renaming the original detect-secrets-redhat-ubi to detect-secrets-redhat-ubi-custom (this one uses run_in_pipeline.sh and Env Vars now)