Call --add-provider during lint stage
I'm also `cat .git/config` because I think the Buildkite destroys the .git/config file for each build, but I want to verify that. If it does, I prefer that because it seems to share the spirit of the "Destroy Your Darlings" essay.
This commit is contained in:
parent
aeeaed605e
commit
92fa785e75
1 changed files with 16 additions and 3 deletions
|
@ -3,9 +3,22 @@
|
||||||
let
|
let
|
||||||
pipeline.steps = [
|
pipeline.steps = [
|
||||||
{
|
{
|
||||||
command = ''
|
command = let
|
||||||
git log -n 1
|
# Regexes to detect sensitive information
|
||||||
git show
|
patterns = pkgs.writeText "secrets.txt" ''
|
||||||
|
(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}
|
||||||
|
("|')?(AWS|aws|Aws)?_?(SECRET|secret|Secret)?_?(ACCESS|access|Access)?_?(KEY|key|Key)("|')?\s*(:|=>|=)\s*("|')?[A-Za-z0-9/\+=]{40}("|')?
|
||||||
|
("|')?(AWS|aws|Aws)?_?(ACCOUNT|account|Account)_?(ID|id|Id)?("|')?\s*(:|=>|=)\s*("|')?[0-9]{4}\-?[0-9]{4}\-?[0-9]{4}("|')?
|
||||||
|
AIza[0-9A-Za-z_-]{35}
|
||||||
|
[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com
|
||||||
|
(^|[^0-9A-Za-z/+])1/[0-9A-Za-z_-]{43}
|
||||||
|
(^|[^0-9A-Za-z/+])1/[0-9A-Za-z_-]{64}
|
||||||
|
ya29\.[0-9A-Za-z_-]+
|
||||||
|
(sk|pk)_(test|live)_[a-zA-Z0-9]{99}
|
||||||
|
'';
|
||||||
|
in ''
|
||||||
|
cat .git/config
|
||||||
|
${pkgs.git-secrets}/bin/git-secrets --add-provider -- cat ${patterns}
|
||||||
${pkgs.git-secrets}/bin/git-secrets --scan-history
|
${pkgs.git-secrets}/bin/git-secrets --scan-history
|
||||||
'';
|
'';
|
||||||
label = ":broom: lint";
|
label = ":broom: lint";
|
||||||
|
|
Loading…
Reference in a new issue