Azure
[Feature Request]: Add credential scanning to the CICD process
Description
It would have been nice to add some mechanism for secret scanning in the CICD setup. Both on the github and ado side;
integrated a sample over here: https://github.com/fblix/ResourceModules/actions/runs/3601328513
Next step would be to check the baseline file if all of the findings really are false-positives.
The baseline file location under /utilities/pipelines/credscan is still up for discussion. This is the included logic (will also be present on the associated branch):
name: '.Platform: RunCredScan'
on:
workflow_dispatch:
pull_request:
branches:
- main
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install detect-secrets using pip
run: pip install detect-secrets
- name: Run detect-secrets tool
run: |
detect-secrets --version
cp utilities/pipelines/credScan/.secrets.baseline .secrets.current
detect-secrets scan --baseline .secrets.current $(find . -type f ! -name '.secrets.*' ! -path '*/.git*' ! -name 'readme.md')
ls
- name: Upload Secret Baseline as Artifact
uses: actions/upload-artifact@v2
with:
name: secret-baseline
path: utilities/pipelines/credScan/.secrets.baseline
- name: Upload Findings from current run as Artifact
uses: actions/upload-artifact@v2
with:
name: secret-current-run
path: .secrets.current
- name: Compare Results
run: |
list_secrets() { jq -r '.results | keys[] as $key | "\($key),\(.[$key] | .[] | .line_number)"' "$1" | sort; }
if ! diff <(list_secrets utilities/pipelines/credScan/.secrets.baseline) <(list_secrets .secrets.current) >&2; then
echo "Detected new secrets in the repo" >&2
exit 1
fi
Thanks for the quick response. I assume we would need something similar on the ADO side, but potentially with a different set of tools/tasks.
We have a similar logic for ADO as well, got that one working as well. So it would be the same core tool that we utilize.