Call --add-provider during lint stage

I'm also `cat .git/config` because I think the Buildkite destroys the .git/config file for each build, but I want to verify that. If it does, I prefer that because it seems to share the spirit of the "Destroy Your Darlings" essay.
2020-08-21 18:04:31 +01:00 · 2020-08-21 18:04:31 +01:00 · 92fa785e75
commit 92fa785e75
parent aeeaed605e
1 changed files with 16 additions and 3 deletions
--- a/ci/pipelines/briefcase.nix
+++ b/ci/pipelines/briefcase.nix
@ -3,9 +3,22 @@
 let
  pipeline.steps = [
    {
-      command = ''
-        git log -n 1
-        git show
+      command = let
+        # Regexes to detect sensitive information
+        patterns = pkgs.writeText "secrets.txt" ''
+          (A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}
+          ("|')?(AWS|aws|Aws)?_?(SECRET|secret|Secret)?_?(ACCESS|access|Access)?_?(KEY|key|Key)("|')?\s*(:|=>|=)\s*("|')?[A-Za-z0-9/\+=]{40}("|')?
+          ("|')?(AWS|aws|Aws)?_?(ACCOUNT|account|Account)_?(ID|id|Id)?("|')?\s*(:|=>|=)\s*("|')?[0-9]{4}\-?[0-9]{4}\-?[0-9]{4}("|')?
+          AIza[0-9A-Za-z_-]{35}
+          [0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com
+          (^|[^0-9A-Za-z/+])1/[0-9A-Za-z_-]{43}
+          (^|[^0-9A-Za-z/+])1/[0-9A-Za-z_-]{64}
+          ya29\.[0-9A-Za-z_-]+
+          (sk|pk)_(test|live)_[a-zA-Z0-9]{99}
+        '';
+      in ''
+        cat .git/config
+        ${pkgs.git-secrets}/bin/git-secrets --add-provider -- cat ${patterns}
        ${pkgs.git-secrets}/bin/git-secrets --scan-history
      '';
      label = ":broom: lint";