Add secrets scan into build pipeline (+ precommit hook config) (#481)

* Add secrets baseline
* Updated secrets baseline
* Added config for pre-commit hook
* CI work - No longer need compare script to source
* Turn off shell command echoing
* Move secret scan & compare to script files
* Chmod script files
* Add suggested exclude patterns
* Removed old code from jenkinsfile
* Fix incorrect cl arg for secrets scan

---------

Co-authored-by: Riley K. Kuttruff <[email protected]>

Author: RKuttruff

Diff for: .ci/jenkins/build-test/Jenkinsfile

@@ -21,6 +21,18 @@ pipeline {
                      required: true)
     }
     stages {
+        stage('Scan for possible secrets'){
+            steps{
+                sh label: "Secrets scan",
+                   script: ".ci/scripts/util/secrets_scan.sh"
+
+                archiveArtifacts artifacts: ".secrets.new", allowEmptyArchive: true, fingerprint: true
+                archiveArtifacts artifacts: ".secrets.diff", allowEmptyArchive: true, fingerprint: true
+
+                sh label: "Compare scan result to baseline",
+                   script: ".ci/scripts/util/secrets_scan_compare.sh"
+            }
+        }
         stage('Build OPERA PGE Docker image(s)') {
             steps {
                 script {
@@ -93,6 +105,7 @@ pipeline {
             echo 'Unstable :/'
         }
         failure {
+            archiveArtifacts artifacts: ".secrets.diff", allowEmptyArchive: true, fingerprint: true
             echo 'Failed :('
         }
         changed {

Diff for: .ci/scripts/util/secrets_scan.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+set +xe
+
+echo '
+===============================================
+
+Scanning workspace for potential leaked secrets
+
+===============================================
+'
+
+
+# defaults
+[ -z "${WORKSPACE}" ] && WORKSPACE=$(realpath $(dirname $(realpath $0))/../../..)
+
+echo "WORKSPACE: $WORKSPACE"
+
+if [ ! -f ${WORKSPACE}/.secrets.baseline ] ;
+then
+    # This generated baseline file will only be temporarily available on the GitHub side and will not appear in the user's local files.
+    # Scanning an empty folder to generate an initial .secrets.baseline without secrets in the results.
+    echo "⚠️ No existing .secrets.baseline file detected. Creating a new blank baseline file."
+    mkdir -p ${WORKSPACE}/empty-dir
+    detect-secrets -C ${WORKSPACE}/empty-dir scan > ${WORKSPACE}/.secrets.baseline
+    echo "✅ Blank .secrets.baseline file created successfully."
+    rm -r ${WORKSPACE}/empty-dir
+else
+    echo "✅ Existing .secrets.baseline file detected. No new baseline file will be created."
+fi
+# scripts scan repository for new secrets
+# backup list of known secrets
+cp -pr ${WORKSPACE}/.secrets.baseline ${WORKSPACE}/.secrets.new
+# find secrets in the repository
+detect-secrets -C ${WORKSPACE} scan \
+                    --disable-plugin AbsolutePathDetectorExperimental \
+                    --all-files \
+                    --baseline ${WORKSPACE}/.secrets.new \
+                    --exclude-files '\.secrets..*' \
+                    --exclude-files '\.git.*' \
+                    --exclude-files 'test_results' \
+                    --exclude-files '\.pytest_cache' \
+                    --exclude-files '\.venv' \
+                    --exclude-files 'venv' \
+                    --exclude-files 'dist' \
+                    --exclude-files 'build' \
+                    --exclude-files '.*\.egg-info'
+# break build when new secrets discovered
+# function compares baseline/new secrets w/o listing results -- success(0) when new secret found
+
+jq -r '.results | keys[] as $key | "\($key),\(.[$key] | .[] | .hashed_secret)"' "${WORKSPACE}/.secrets.baseline" | sort > /data/tmp/.secrets.1
+jq -r '.results | keys[] as $key | "\($key),\(.[$key] | .[] | .hashed_secret)"' "${WORKSPACE}/.secrets.new" | sort > /data/tmp/.secrets.2
+
+diff /data/tmp/.secrets.1 /data/tmp/.secrets.2 > ${WORKSPACE}/.secrets.diff || true
+
+rm -f /data/tmp/.secrets.1 /data/tmp/.secrets.2

Diff for: .ci/scripts/util/secrets_scan_compare.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set +xe
+
+echo '
+============================================
+
+Comparing secrets scan results with baseline
+
+============================================
+'
+
+
+# defaults
+[ -z "${WORKSPACE}" ] && WORKSPACE=$(realpath $(dirname $(realpath $0))/../../..)
+
+echo "WORKSPACE: $WORKSPACE"
+
+if grep -q '>' < ${WORKSPACE}/.secrets.diff;
+then
+    echo "⚠️ Attention Required! ⚠️" >&2
+    echo "New secrets have been detected in your recent commit. Due to security concerns, we cannot display detailed information here and we cannot proceed until this issue is resolved." >&2
+    echo "" >&2
+    echo "Please follow the steps below on your local machine to reveal and handle the secrets:" >&2
+    echo "" >&2
+    echo "1️⃣ Run the 'detect-secrets' tool on your local machine. This tool will identify and clean up the secrets. You can find detailed instructions at this link: https://nasa-ammos.github.io/slim/continuous-testing/starter-kits/#detect-secrets" >&2
+    echo "" >&2
+    echo "2️⃣ After cleaning up the secrets, commit your changes and re-push your update to the repository." >&2
+    echo "" >&2
+    echo "Your efforts to maintain the security of our codebase are greatly appreciated!" >&2
+    exit 1
+else
+    echo "🟢 Secrets tests PASSED! 🟢" >&1
+    echo "No new secrets were detected in comparison to any baseline configurations."  >&1
+    exit 0
+fi

Diff for: .pre-commit-config.yaml

@@ -0,0 +1,29 @@
+  repos:
+    - repo: https://github.com/NASA-AMMOS/slim-detect-secrets
+      # using commit id for now, will change to tag when official version is released
+      rev: 91e097ad4559ae6ab785c883dc5ed989202c7fbe
+      hooks:
+        - id: detect-secrets
+          args:
+            - '--disable-plugin'
+            - 'AbsolutePathDetectorExperimental'
+            - '--baseline'
+            - '.secrets.baseline'
+            - '--exclude-files'
+            - '\.git*'
+            - '--exclude-files'
+            - '\.secrets.*'
+            - '--exclude-files'
+            - 'test_results'
+            - '--exclude-files'
+            - '\.pytest_cache'
+            - '--exclude-files'
+            - '\.venv'
+            - '--exclude-files'
+            - 'venv'
+            - '--exclude-files'
+            - 'dist'
+            - '--exclude-files'
+            - 'build'
+            - '--exclude-files'
+            - '.*\.egg-info'