sanctify 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b0ca7f6e90a7bd6520e1aedb679ec4da2f4538c8
-  data.tar.gz: d6467b517483af563a274a1d82e38efa8bb1062a
+  metadata.gz: 6f3f4da1abe8e2ba6540a80a0e5b680191b2f39d
+  data.tar.gz: f3e148f8a770182bb86b4902982fc6287494a5e5
 SHA512:
-  metadata.gz: 5446635a999c7a9e4e7c102d03db9df8617155819f64bf241c9afefc4f30bdd124b1e6e86fb68bfba8dc17eec5610004654efe992b349e7556f27eedcd345d11
-  data.tar.gz: 5d2001a4d2a5ec928ac91d29416ecb79c2cbf9be6c23b48dd660d835c35f911c3bb53663dc017942bdf19866f11d5df0a0595a284e4a3e4b537c9383c6d658bd
+  metadata.gz: 5bc55c655e0ebc395a588f40abc7f19b3aaeb42a122f3d6c30e5190ddfb211687ce54ef7ba6c3ddcd936a784a7218f58b3b1af075d7d771244cd8744fdedd44a
+  data.tar.gz: 890cc5a672faa1f7266806fd539bbc62b8ed8900f5929c368ed09b28239b091f57b8364c5d6ad70424e7c11d2dc3726c841a3cfea52fb07f912de8b7be98ea81

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    sanctify (0.1.0)
+    sanctify (0.2.0)
       git
 
 GEM

data/README.md

@@ -1,8 +1,6 @@
 # Sanctify
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/sanctify`. To experiment with that code, run `bin/console` for an interactive prompt.
-
-TODO: Delete this and the text above, and describe your gem
+Sanctify is a gem that allows you to scan the git diff of any repo for secrets before you commit.
 
 ## Installation
 
@@ -22,17 +20,67 @@ Or install it yourself as:
 
 ## Usage
 
-Run sanctify as part of the pre-commit hook, which will make sure to find and deny secrets before commit and PR. You can use the [precommit hook project](http://pre-commit.com/) to easily integrate this script with your repo.
+Run sanctify as part of the pre-commit hook, which will make sure to find and deny secrets before commit and PR. You can use the [precommit hook project](http://pre-commit.com/) to easily integrate this script with your repo. You can also run as a standalone command. If it fails, you'll get an exit code of 1 otherwise, 0 so you can very easily integrate it into bash scripts.
 
 Sancitfy has very simple usage:
 
 ```
-Usage: sanctify [-r REPO_PATH] [-c CONFIG_PATH]
+Usage: sanctify [-r REPO_PATH] [-c CONFIG_PATH] [-d FROM_COMMIT..TO_COMMIT | -d FROM_COMMIT]
     -r, --repo REPO                  Repo to test
     -c, --config CONFIG              Configuration file in YAML
+    -d, --diff DIFF                  Specify a diff or commit from which to check secrets
     -h, --help                       Prints this help
 ```
 
+To integrate with pre-commit, add the following to your `pre-commit-config.yaml`:
+
+```
+repos:
+-   repo: https://github.com/onetwopunch/sanctify
+    sha: v0.2.0
+    hooks:
+    -   id: sanctify
+```
+
+## Configuration
+
+Sanctify supports two top-level objects in the config: `ignored_paths` and `custom_matchers`. Currently sanctify supports a number of default matchers, but you are free to add more to your config file under custom_matchers. If there is a file that you know has secrets or is a false positive, you can add a list of Ruby-style regexes to ignore certain files.
+
+Here's an example config file:
+
+```yaml
+---
+custom_matchers:
+  - description: "Test Description"
+    regex: "secret.*"
+
+ignored_paths:
+  - test.*
+  - .*thing.rb
+
+```
+
+The list of current default matchers are located in  `lib/sanctify/matcher_list.rb`:
+
+```ruby
+[
+  {
+    description: "AWS Access Key ID",
+    regex: /AKIA[0-9A-Z]{16}/
+  },
+  {
+    description: "AWS Secret Key",
+    regex: /\b[\w\/&?=-@#$%\\^+]{40}\b/
+  },
+  {
+    description: "SSH RSA Private Key",
+    regex: /^-----BEGIN RSA PRIVATE KEY-----$/
+  },
+  ...
+]
+```
+
+If you see any problem with a default matcher list or would like to add another to the default list, please feel free to make a pull request.
 
 ## Development
 

data/lib/sanctify/cli.rb

@@ -7,7 +7,7 @@ module Sanctify
       args = {}
 
       opt_parser = OptionParser.new do |opts|
-        opts.banner = "Usage: sanctify [-r REPO_PATH] [-c CONFIG_PATH]"
+        opts.banner = "Usage: sanctify [-r REPO_PATH] [-c CONFIG_PATH] [--diff FROM_COMMIT..TO_COMMIT | --diff FROM_COMMIT]"
 
         opts.on("-r REPO", "--repo REPO", "Repo to test") do |repo|
           args[:repo] = repo
@@ -17,6 +17,12 @@ module Sanctify
           args[:config] = YAML.load(File.open(config))
         end
 
+        opts.on("-d DIFF", "--diff DIFF", "Specify a diff or commit from which to check secrets") do |diff|
+          from, to = diff.split('..')
+          args[:from] = from
+          args[:to] = to
+        end
+
         opts.on("-h", "--help", "Prints this help") do
           puts opts
           exit

data/lib/sanctify/matcher_list.rb

@@ -31,6 +31,14 @@ module Sanctify
         description: "AWS Secret Key",
         regex: /\b[\w\/&?=-@#$%\\^+]{40}\b/
       },
+      {
+        description: "SSH RSA Private Key",
+        regex: /^-----BEGIN RSA PRIVATE KEY-----$/
+      },
+      {
+        description: "X.509 Certificate",
+        regex: /^-----BEGIN CERTIFICATE-----$/
+      },
       {
         description: "Redis URL with Password",
         regex: /redis:\/\/[0-9a-zA-Z:@.\\-]+/

data/lib/sanctify/repo.rb

@@ -3,20 +3,19 @@ require 'git'
 module Sanctify
   class Repo
     attr_reader :path, :git, :ignored_paths
-    def initialize(path, ignored_paths = [])
-      @path = path
+    def initialize(args, ignored_paths = [])
+      @path = args[:repo]
+      @to = args[:to] # The default for `to` in git.diff is nil
+      @from = args[:from] || 'HEAD'
       @git = Git.open(path)
       @ignored_paths = ignored_paths
     end
 
-    def diff(from = 'HEAD', to = nil)
+    def diff
       # The diff processing is only done in the each method
       # so we'll call this method as a singleton so we don't accidentally
       # do this more than once per instance of the repo.
-      #
-      # NOTE: We expect this bydefault to be executed in a pre-commit hook
-      # but we may want to extend it to work with a static git repo as well.
-      @diff ||= git.diff(from, to).each.to_a
+      @diff ||= git.diff(@from, @to).each.to_a
     end
 
     def added_lines

data/lib/sanctify/scanner.rb

@@ -7,7 +7,7 @@ module Sanctify
     attr_reader :config, :repo, :matcher_list
     def initialize(args)
       @config = args[:config] || {}
-      @repo = Repo.new(args[:repo], ignored_paths)
+      @repo = Repo.new(args, ignored_paths)
       @matcher_list = MatcherList.new
     end
 
@@ -20,6 +20,7 @@ module Sanctify
           end
         end
       end
+      puts "SUCCESS! No Secrets Found in #{repo.path}"
     end
 
     private

data/lib/sanctify/version.rb

@@ -1,3 +1,3 @@
 module Sanctify
-  VERSION = "0.1.1"
+  VERSION = "0.2.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sanctify
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Ryan Canty
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-01-08 00:00:00.000000000 Z
+date: 2018-01-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -109,7 +109,6 @@ files:
 - lib/sanctify/repo.rb
 - lib/sanctify/scanner.rb
 - lib/sanctify/version.rb
-- sanctify-0.1.0.gem
 - sanctify.gemspec
 homepage: https://github.com/onetwopunch/sanctify
 licenses: