search

cloud-gov / caulking

Prevent leaks with gitleaks, and use tests to validate
Other
32 stars 11 forks source link

Pin gitleaks to version 7.6.1 to give us time to update to the 8.x releases (12/21) #56

Closed ccostino closed 2 years ago

ccostino commented 2 years ago

A new version of gitleaks has been released to bring it to version 8.0.0 (now at 8.1.1 at the time of this writing), which brings some breaking changes with it to our current setup.

Specifically, when I go to commit a series of changes now, gitleaks will error out due to an unknown flag, --unstaged. This flag was removed in the newest versions of the tool and appears to have been replaced/incorporated into a new protect subcommand.

It looks like the line we need to change is line 17 in our pre-commit shell script, but I suspect we'll have to do a bit more than just swap a flag with a subcommand. It looks like some of the flags/options may have changed as well according to the Usage section of the README in the latest release.

It also looks like the new version (8.1.1) ignores gitleaks.toml by default; I'm not sure if this will have any impact, either, since I see it referenced in our script as well.

The alternative is to pin our version again to a known working version for us (I believe that would be 7.6.1 - though it looks like we try and pin to 7.2.1) until we have time to come back to this.

pburkholder commented 2 years ago

Version pinning generally doesn't work with brew -- so we'd need to specify a release from GitHub downloads. This could be OK as we could then also checksum the file (or check the signature, if there is one).

bengerman13 commented 2 years ago

if we install outside of brew, it'd also mean we can install caulking without admin rights on our machines, which is a huge plus, IMO

ccostino commented 2 years ago

FYI that gitleaks is now at 8.1.1. It's also looking like this might be more critical to fix given that this has to work for us, and the next time anyone runs an install of it it's going to pull the latest version, breaking the caulking script. I now can't commit with it installed, for instance.

ccostino commented 2 years ago

I think I have this mostly worked out for downloading the 7.6.1 release from GitHub, but I am unsure of the checksum or signature checking part. @pburkholder I can start a draft PR with what I have so far to work off of, or if you have time to pair a bit on this I'd appreciate it. Thanks!

ccostino commented 2 years ago

I did start some preliminary work to get things working with the latest release and I think I figured out that path forward as well, but it looks like a lot of the tests will need to be updated, or some other config option(s) toggled that I missed and am unaware of.

ccostino commented 2 years ago

FYI that gitleaks has already updated to 8.2.1.

ccostino commented 2 years ago

A PR is now in place! Thanks, @pburkholder.

https://github.com/cloud-gov/caulking/pull/57

ccostino commented 2 years ago

PR is merged! We'll revisit gitleaks in the near future to get it fully updated.