Merge pull request #33 from IABTechLab/aaq-UID2-3163-enable-secret-scanning

asloobq · web-flow · commit bbc2ec96bc71 · 2024-04-08T11:10:26.000-07:00
Add pre-commit and trivy scan configs
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,19 @@
+repos:
+  - repo: https://github.com/mxab/pre-commit-trivy.git
+    rev: v0.12.0
+    hooks:
+      - id: trivyfs-docker
+        args:
+          - --scanners
+          - secret
+          - --secret-config
+          - /src/trivy-secret.yaml
+          - --skip-dirs
+          - /src/target
+          - --skip-dirs
+          - /src/.idea
+          - --skip-dirs
+          - /src/venv
+          - --skip-files
+          - /src/e2e/docker/localstack/kms/seed.yaml
+          - .
diff --git a/trivy-secret.yaml b/trivy-secret.yaml
@@ -0,0 +1,210 @@
+rules:
+  ##################
+  # UID2 Admin Key #
+  ##################
+  - id: uid2-admin-key-test
+    category: uid2
+    title: UID2 - Admin Key - Test
+    severity: CRITICAL
+    keywords:
+      - UID2-A-T
+    regex: UID2-A-T-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: uid2-admin-key-integ
+    category: uid2
+    title: UID2 - Admin Key - Integ
+    severity: CRITICAL
+    keywords:
+      - UID2-A-I
+    regex: UID2-A-I-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: uid2-admin-key-prod
+    category: uid2
+    title: UID2 - Admin Key - Prod
+    severity: CRITICAL
+    keywords:
+      - UID2-A-P
+    regex: UID2-A-P-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+
+  ###################
+  # UID2 Client Key #
+  ###################
+  - id: uid2-client-key-test
+    category: uid2
+    title: UID2 - Client Key - Test
+    severity: CRITICAL
+    keywords:
+      - UID2-C-T
+    regex: UID2-C-T-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: uid2-client-key-integ
+    category: uid2
+    title: UID2 - Client Key - Integ
+    severity: CRITICAL
+    keywords:
+      - UID2-C-I
+    regex: UID2-C-I-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: uid2-client-key-prod
+    category: uid2
+    title: UID2 - Client Key - Prod
+    severity: CRITICAL
+    keywords:
+      - UID2-C-P
+    regex: UID2-C-P-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+
+  #####################
+  # UID2 Operator Key #
+  #####################
+  - id: uid2-operator-key-test
+    category: uid2
+    title: UID2 - Operator Key - Test
+    severity: CRITICAL
+    keywords:
+      - UID2-O-T
+    regex: UID2-O-T-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: uid2-operator-key-integ
+    category: uid2
+    title: UID2 - Operator Key - Integ
+    severity: CRITICAL
+    keywords:
+      - UID2-O-I
+    regex: UID2-O-I-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: uid2-operator-key-prod
+    category: uid2
+    title: UID2 - Operator Key - Prod
+    severity: CRITICAL
+    keywords:
+      - UID2-O-P
+    regex: UID2-O-P-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+
+  ########################################
+  # UID2 Client Side Keypair Private Key #
+  ########################################
+  - id: uid2-client-side-keypair-private-key-test
+    category: uid2
+    title: UID2 - Client Side Keypair Private Key - Test
+    severity: CRITICAL
+    keywords:
+      - UID2-Y-T
+    regex: (?P<secret>UID2-Y-T-.{92})
+    secret-group-name: secret
+  - id: uid2-client-side-keypair-private-key-integ
+    category: uid2
+    title: UID2 - Client Side Keypair Private Key - Integ
+    severity: CRITICAL
+    keywords:
+      - UID2-Y-I
+    regex: (?P<secret>UID2-Y-I-.{92})
+    secret-group-name: secret
+  - id: uid2-client-side-keypair-private-key-prod
+    category: uid2
+    title: UID2 - Client Side Keypair Private Key - Prod
+    severity: CRITICAL
+    keywords:
+      - UID2-Y-P
+    regex: (?P<secret>UID2-Y-P-.{92})
+    secret-group-name: secret
+
+  ##################
+  # EUID Admin Key #
+  ##################
+  - id: euid-admin-key-test
+    category: euid
+    title: EUID - Admin Key - Test
+    severity: CRITICAL
+    keywords:
+      - EUID-A-T
+    regex: EUID-A-T-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: euid-admin-key-integ
+    category: euid
+    title: EUID - Admin Key - Integ
+    severity: CRITICAL
+    keywords:
+      - EUID-A-I
+    regex: EUID-A-I-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: euid-admin-key-prod
+    category: euid
+    title: EUID - Admin Key - Prod
+    severity: CRITICAL
+    keywords:
+      - EUID-A-P
+    regex: EUID-A-P-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+
+  ###################
+  # EUID Client Key #
+  ###################
+  - id: euid-client-key-test
+    category: euid
+    title: EUID - Client Key - Test
+    severity: CRITICAL
+    keywords:
+      - EUID-C-T
+    regex: EUID-C-T-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: euid-client-key-integ
+    category: euid
+    title: EUID - Client Key - Integ
+    severity: CRITICAL
+    keywords:
+      - EUID-C-I
+    regex: EUID-C-I-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: euid-client-key-prod
+    category: euid
+    title: EUID - Client Key - Prod
+    severity: CRITICAL
+    keywords:
+      - EUID-C-P
+    regex: EUID-C-P-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+
+  #####################
+  # EUID Operator Key #
+  #####################
+  - id: euid-operator-key-test
+    category: euid
+    title: EUID - Operator Key - Test
+    severity: CRITICAL
+    keywords:
+      - EUID-O-T
+    regex: EUID-O-T-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: euid-operator-key-integ
+    category: euid
+    title: EUID - Operator Key - Integ
+    severity: CRITICAL
+    keywords:
+      - EUID-O-I
+    regex: EUID-O-I-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: euid-operator-key-prod
+    category: euid
+    title: EUID - Operator Key - Prod
+    severity: CRITICAL
+    keywords:
+      - EUID-O-P
+    regex: EUID-O-P-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+
+disable-allow-rules:
+  - tests
+  - examples
+  - vendor
+  - usr-dirs
+  - locale-dir
+  - markdown
+  - node.js
+  - golang
+  - python
+  - rubygems
+  - wordpress
+  - anaconda-log
