Running git-hound in Azure Pipelines issue

joshjohanning commented 3 years ago

Scenario:

Want to embed git-hound into a Pipeline in order to fail the build if any secrets are checked into source control

Usage:

steps:
- script: |
    go get github.com/ezekg/git-hound
    sudo ln -sf ~/go/bin/git-hound /usr/local/bin/git-hound
  displayName: 'install git-hound'

- script: | 
    git-hound sniff
  displayName: run git-hound

Error:

...well there is no error. It just hands here and doesn't run anything.

Workaround* :

steps:
- script: |
    go get github.com/ezekg/git-hound
    sudo ln -sf ~/go/bin/git-hound /usr/local/bin/git-hound
  displayName: 'install git-hound'

- script: | 
    git log -p | git-hound sniff
  displayName: run git-hound

*This works, but this pipes in all of the history. In the scenario I was looking to use git-hound for was to only fail the build if there are any secrets CURRENTLY checked into source control (disregarding all history that git log -p provides)

What I'm really trying to figure out is why nothing happens when running git-hound sniff in the pipeline and only works when git log -p is piped to it.

ezekg commented 3 years ago

Deleted my previous comment, as I was misremembering how git hound sniff functioned. Can you let me know if this git command produces any output? It should print a diff for the contents of every file in your repo.

git diff 4b825dc642cb6eb9a060e54bf8d69288fbee4904 --staged

joshjohanning commented 3 years ago

This works 100%, @ezekg. Great tip!

The command that runs in the pipeline now is: git diff 4b825dc642cb6eb9a060e54bf8d69288fbee4904 --staged | git-hound sniff

ezekg commented 3 years ago

Glad that worked, @soccerjoshj07, but I would of expected you to not need to do that explicitly. Let me know if you want to dig into this further, because that behavior should be the default behavior of running git-hound sniff. Perhaps your CI/CD is doing something like a shallow clone which I'm not accounting for here.

joshjohanning commented 3 years ago

@ezekg Yeah, it seems likely it is something with the way the pipeline clones the repo. It is a detached HEAD state, which may be it.

Here are the Git logs from an Azure Pipelines job run:

git init "/home/vsts/work/1/s/secrets-scanning-poc"
Initialized empty Git repository in /home/vsts/work/1/s/secrets-scanning-poc/.git/
git remote add origin https://github.com/soccerjoshj07/secrets-scanning-poc
git config gc.auto 0
git config --get-all http.https://github.com/soccerjoshj07/secrets-scanning-poc.extraheader
git config --get-all http.proxy
git config http.version HTTP/1.1
git -c http.extraheader="AUTHORIZATION: basic ***" fetch --force --tags --prune --progress --no-recurse-submodules origin

...

From https://github.com/soccerjoshj07/secrets-scanning-poc
 * [new branch]      main       -> origin/main
git -c http.extraheader="AUTHORIZATION: basic ***" fetch --force --tags --prune --progress --no-recurse-submodules origin +c39666e2772a1c2e8543d0057b485493dc8a96c3:refs/remotes/origin/c39666e2772a1c2e8543d0057b485493dc8a96c3
From https://github.com/soccerjoshj07/secrets-scanning-poc
 * [new ref]         c39666e2772a1c2e8543d0057b485493dc8a96c3 -> origin/c39666e2772a1c2e8543d0057b485493dc8a96c3
git checkout --progress --force c39666e2772a1c2e8543d0057b485493dc8a96c3
Note: switching to 'c39666e2772a1c2e8543d0057b485493dc8a96c3'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

  git switch -c <new-branch-name>

Or undo this operation with:

  git switch -

Turn off this advice by setting config variable advice.detachedHead to false

HEAD is now at c39666e cleaning code

Let me know if any of this was useful. Thanks!

ezekg / git-hound