RubyGems - sanctify - Versions diffs - 0.1.1 → 0.2.0 - Mend

sanctify 0.1.1 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b0ca7f6e90a7bd6520e1aedb679ec4da2f4538c8
-  data.tar.gz: d6467b517483af563a274a1d82e38efa8bb1062a
+  metadata.gz: 6f3f4da1abe8e2ba6540a80a0e5b680191b2f39d
+  data.tar.gz: f3e148f8a770182bb86b4902982fc6287494a5e5
 SHA512:
-  metadata.gz: 5446635a999c7a9e4e7c102d03db9df8617155819f64bf241c9afefc4f30bdd124b1e6e86fb68bfba8dc17eec5610004654efe992b349e7556f27eedcd345d11
-  data.tar.gz: 5d2001a4d2a5ec928ac91d29416ecb79c2cbf9be6c23b48dd660d835c35f911c3bb53663dc017942bdf19866f11d5df0a0595a284e4a3e4b537c9383c6d658bd
+  metadata.gz: 5bc55c655e0ebc395a588f40abc7f19b3aaeb42a122f3d6c30e5190ddfb211687ce54ef7ba6c3ddcd936a784a7218f58b3b1af075d7d771244cd8744fdedd44a
+  data.tar.gz: 890cc5a672faa1f7266806fd539bbc62b8ed8900f5929c368ed09b28239b091f57b8364c5d6ad70424e7c11d2dc3726c841a3cfea52fb07f912de8b7be98ea81

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    sanctify (0.1.0)
+    sanctify (0.2.0)
       git
 GEM

data/README.md CHANGED Viewed

@@ -1,8 +1,6 @@
 # Sanctify
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/sanctify`. To experiment with that code, run `bin/console` for an interactive prompt.
-TODO: Delete this and the text above, and describe your gem
+Sanctify is a gem that allows you to scan the git diff of any repo for secrets before you commit.
 ## Installation
@@ -22,17 +20,67 @@ Or install it yourself as:
 ## Usage
-Run sanctify as part of the pre-commit hook, which will make sure to find and deny secrets before commit and PR. You can use the [precommit hook project](http://pre-commit.com/) to easily integrate this script with your repo.
+Run sanctify as part of the pre-commit hook, which will make sure to find and deny secrets before commit and PR. You can use the [precommit hook project](http://pre-commit.com/) to easily integrate this script with your repo. You can also run as a standalone command. If it fails, you'll get an exit code of 1 otherwise, 0 so you can very easily integrate it into bash scripts.
 Sancitfy has very simple usage:
 ```
-Usage: sanctify [-r REPO_PATH] [-c CONFIG_PATH]
+Usage: sanctify [-r REPO_PATH] [-c CONFIG_PATH] [-d FROM_COMMIT..TO_COMMIT | -d FROM_COMMIT]
     -r, --repo REPO                  Repo to test
     -c, --config CONFIG              Configuration file in YAML
+    -d, --diff DIFF                  Specify a diff or commit from which to check secrets
     -h, --help                       Prints this help
 ```
+To integrate with pre-commit, add the following to your `pre-commit-config.yaml`:
+```
+repos:
+-   repo: https://github.com/onetwopunch/sanctify
+    sha: v0.2.0
+    hooks:
+    -   id: sanctify
+```
+## Configuration
+Sanctify supports two top-level objects in the config: `ignored_paths` and `custom_matchers`. Currently sanctify supports a number of default matchers, but you are free to add more to your config file under custom_matchers. If there is a file that you know has secrets or is a false positive, you can add a list of Ruby-style regexes to ignore certain files.
+Here's an example config file:
+```yaml
+---
+custom_matchers:
+  - description: "Test Description"
+    regex: "secret.*"
+ignored_paths:
+  - test.*
+  - .*thing.rb
+```
+The list of current default matchers are located in  `lib/sanctify/matcher_list.rb`:
+```ruby
+[
+  {
+    description: "AWS Access Key ID",
+    regex: /AKIA[0-9A-Z]{16}/
+  },
+  {
+    description: "AWS Secret Key",
+    regex: /\b[\w\/&?=-@#$%\\^+]{40}\b/
+  },
+  {
+    description: "SSH RSA Private Key",
+    regex: /^-----BEGIN RSA PRIVATE KEY-----$/
+  },
+  ...
+]
+```
+If you see any problem with a default matcher list or would like to add another to the default list, please feel free to make a pull request.
 ## Development

data/lib/sanctify/cli.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module Sanctify
       args = {}
       opt_parser = OptionParser.new do |opts|
-        opts.banner = "Usage: sanctify [-r REPO_PATH] [-c CONFIG_PATH]"
+        opts.banner = "Usage: sanctify [-r REPO_PATH] [-c CONFIG_PATH] [--diff FROM_COMMIT..TO_COMMIT | --diff FROM_COMMIT]"
         opts.on("-r REPO", "--repo REPO", "Repo to test") do |repo|
           args[:repo] = repo
@@ -17,6 +17,12 @@ module Sanctify
           args[:config] = YAML.load(File.open(config))
         end
+        opts.on("-d DIFF", "--diff DIFF", "Specify a diff or commit from which to check secrets") do |diff|
+          from, to = diff.split('..')
+          args[:from] = from
+          args[:to] = to
+        end
         opts.on("-h", "--help", "Prints this help") do
           puts opts
           exit

data/lib/sanctify/matcher_list.rb CHANGED Viewed

@@ -31,6 +31,14 @@ module Sanctify
         description: "AWS Secret Key",
         regex: /\b[\w\/&?=-@#$%\\^+]{40}\b/
       },
+      {
+        description: "SSH RSA Private Key",
+        regex: /^-----BEGIN RSA PRIVATE KEY-----$/
+      },
+      {
+        description: "X.509 Certificate",
+        regex: /^-----BEGIN CERTIFICATE-----$/
+      },
       {
         description: "Redis URL with Password",
         regex: /redis:\/\/[0-9a-zA-Z:@.\\-]+/

data/lib/sanctify/repo.rb CHANGED Viewed

@@ -3,20 +3,19 @@ require 'git'
 module Sanctify
   class Repo
     attr_reader :path, :git, :ignored_paths
-    def initialize(path, ignored_paths = [])
-      @path = path
+    def initialize(args, ignored_paths = [])
+      @path = args[:repo]
+      @to = args[:to] # The default for `to` in git.diff is nil
+      @from = args[:from] || 'HEAD'
       @git = Git.open(path)
       @ignored_paths = ignored_paths
     end
-    def diff(from = 'HEAD', to = nil)
+    def diff
       # The diff processing is only done in the each method
       # so we'll call this method as a singleton so we don't accidentally
       # do this more than once per instance of the repo.
-      #
-      # NOTE: We expect this bydefault to be executed in a pre-commit hook
-      # but we may want to extend it to work with a static git repo as well.
-      @diff ||= git.diff(from, to).each.to_a
+      @diff ||= git.diff(@from, @to).each.to_a
     end
     def added_lines

data/lib/sanctify/scanner.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module Sanctify
     attr_reader :config, :repo, :matcher_list
     def initialize(args)
       @config = args[:config] || {}
-      @repo = Repo.new(args[:repo], ignored_paths)
+      @repo = Repo.new(args, ignored_paths)
       @matcher_list = MatcherList.new
     end
@@ -20,6 +20,7 @@ module Sanctify
           end
         end
       end
+      puts "SUCCESS! No Secrets Found in #{repo.path}"
     end
     private

data/lib/sanctify/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Sanctify
-  VERSION = "0.1.1"
+  VERSION = "0.2.0"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sanctify
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Ryan Canty
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2018-01-08 00:00:00.000000000 Z
+date: 2018-01-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -109,7 +109,6 @@ files:
 - lib/sanctify/repo.rb
 - lib/sanctify/scanner.rb
 - lib/sanctify/version.rb
-- sanctify-0.1.0.gem
 - sanctify.gemspec
 homepage: https://github.com/onetwopunch/sanctify
 licenses:

data/sanctify-0.1.0.gem DELETED Viewed

Binary file