varunsh-coder
commented
1 year ago @Devils-Knight please take this up
Closed varunsh-coder closed 1 year ago
varunsh-coder
commented
1 year ago @Devils-Knight please take this up
varunsh-coder
commented
1 year ago What hooks should we be recommending for linting and for credential scanning?
For credential scanning, the options are gitleaks, trufflehog, and we should try to find more.
For linting, there are some basic non-language-specific options like trailing-whitespace, and then there might be others specific to programming languages like check-yaml.
WikiRik
commented
1 year ago Would it be possible to use other libraries as well that do similar things with commit hooks? Mainly https://github.com/typicode/husky
varunsh-coder
commented
1 year ago Would it be possible to use other libraries as well that do similar things with commit hooks? Mainly https://github.com/typicode/husky
Thanks a lot for sharing @WikiRik! I did not know about husky and will read more about it.
varunsh-coder
commented
1 year ago This is done and released. https://app.stepsecurity.io/securerepo now shows an option to add pre-commit hooks.
https://github.com/pre-commit/pre-commit is a framework for managing and maintaining multi-language pre-commit hooks.
It is very popular, and one of the important use cases is to detect and prevent credentials from being pushed. This is important because the cost of dealing with a cred leak is much higher once it is already pushed.
Using a PR, we should add a pre-commit configuration
.pre-commit-config.yamlas a best practice. If the file already exists, then we should suggest adding specific hooks related to security.Here is an example of such a file https://github.com/aws-samples/aws-deployment-pipeline-reference-architecture/blob/1329e3cb20f3ef782fca907ddce39d94a8b4c813/examples/cdk-application-pipeline/.pre-commit-config.yaml