sanctify 0.1.1 → 0.2.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: b0ca7f6e90a7bd6520e1aedb679ec4da2f4538c8
4
- data.tar.gz: d6467b517483af563a274a1d82e38efa8bb1062a
3
+ metadata.gz: 6f3f4da1abe8e2ba6540a80a0e5b680191b2f39d
4
+ data.tar.gz: f3e148f8a770182bb86b4902982fc6287494a5e5
5
5
  SHA512:
6
- metadata.gz: 5446635a999c7a9e4e7c102d03db9df8617155819f64bf241c9afefc4f30bdd124b1e6e86fb68bfba8dc17eec5610004654efe992b349e7556f27eedcd345d11
7
- data.tar.gz: 5d2001a4d2a5ec928ac91d29416ecb79c2cbf9be6c23b48dd660d835c35f911c3bb53663dc017942bdf19866f11d5df0a0595a284e4a3e4b537c9383c6d658bd
6
+ metadata.gz: 5bc55c655e0ebc395a588f40abc7f19b3aaeb42a122f3d6c30e5190ddfb211687ce54ef7ba6c3ddcd936a784a7218f58b3b1af075d7d771244cd8744fdedd44a
7
+ data.tar.gz: 890cc5a672faa1f7266806fd539bbc62b8ed8900f5929c368ed09b28239b091f57b8364c5d6ad70424e7c11d2dc3726c841a3cfea52fb07f912de8b7be98ea81
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- sanctify (0.1.0)
4
+ sanctify (0.2.0)
5
5
  git
6
6
 
7
7
  GEM
data/README.md CHANGED
@@ -1,8 +1,6 @@
1
1
  # Sanctify
2
2
 
3
- Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/sanctify`. To experiment with that code, run `bin/console` for an interactive prompt.
4
-
5
- TODO: Delete this and the text above, and describe your gem
3
+ Sanctify is a gem that allows you to scan the git diff of any repo for secrets before you commit.
6
4
 
7
5
  ## Installation
8
6
 
@@ -22,17 +20,67 @@ Or install it yourself as:
22
20
 
23
21
  ## Usage
24
22
 
25
- Run sanctify as part of the pre-commit hook, which will make sure to find and deny secrets before commit and PR. You can use the [precommit hook project](http://pre-commit.com/) to easily integrate this script with your repo.
23
+ Run sanctify as part of the pre-commit hook, which will make sure to find and deny secrets before commit and PR. You can use the [precommit hook project](http://pre-commit.com/) to easily integrate this script with your repo. You can also run as a standalone command. If it fails, you'll get an exit code of 1 otherwise, 0 so you can very easily integrate it into bash scripts.
26
24
 
27
25
  Sancitfy has very simple usage:
28
26
 
29
27
  ```
30
- Usage: sanctify [-r REPO_PATH] [-c CONFIG_PATH]
28
+ Usage: sanctify [-r REPO_PATH] [-c CONFIG_PATH] [-d FROM_COMMIT..TO_COMMIT | -d FROM_COMMIT]
31
29
  -r, --repo REPO Repo to test
32
30
  -c, --config CONFIG Configuration file in YAML
31
+ -d, --diff DIFF Specify a diff or commit from which to check secrets
33
32
  -h, --help Prints this help
34
33
  ```
35
34
 
35
+ To integrate with pre-commit, add the following to your `pre-commit-config.yaml`:
36
+
37
+ ```
38
+ repos:
39
+ - repo: https://github.com/onetwopunch/sanctify
40
+ sha: v0.2.0
41
+ hooks:
42
+ - id: sanctify
43
+ ```
44
+
45
+ ## Configuration
46
+
47
+ Sanctify supports two top-level objects in the config: `ignored_paths` and `custom_matchers`. Currently sanctify supports a number of default matchers, but you are free to add more to your config file under custom_matchers. If there is a file that you know has secrets or is a false positive, you can add a list of Ruby-style regexes to ignore certain files.
48
+
49
+ Here's an example config file:
50
+
51
+ ```yaml
52
+ ---
53
+ custom_matchers:
54
+ - description: "Test Description"
55
+ regex: "secret.*"
56
+
57
+ ignored_paths:
58
+ - test.*
59
+ - .*thing.rb
60
+
61
+ ```
62
+
63
+ The list of current default matchers are located in `lib/sanctify/matcher_list.rb`:
64
+
65
+ ```ruby
66
+ [
67
+ {
68
+ description: "AWS Access Key ID",
69
+ regex: /AKIA[0-9A-Z]{16}/
70
+ },
71
+ {
72
+ description: "AWS Secret Key",
73
+ regex: /\b[\w\/&?=-@#$%\\^+]{40}\b/
74
+ },
75
+ {
76
+ description: "SSH RSA Private Key",
77
+ regex: /^-----BEGIN RSA PRIVATE KEY-----$/
78
+ },
79
+ ...
80
+ ]
81
+ ```
82
+
83
+ If you see any problem with a default matcher list or would like to add another to the default list, please feel free to make a pull request.
36
84
 
37
85
  ## Development
38
86
 
data/lib/sanctify/cli.rb CHANGED
@@ -7,7 +7,7 @@ module Sanctify
7
7
  args = {}
8
8
 
9
9
  opt_parser = OptionParser.new do |opts|
10
- opts.banner = "Usage: sanctify [-r REPO_PATH] [-c CONFIG_PATH]"
10
+ opts.banner = "Usage: sanctify [-r REPO_PATH] [-c CONFIG_PATH] [--diff FROM_COMMIT..TO_COMMIT | --diff FROM_COMMIT]"
11
11
 
12
12
  opts.on("-r REPO", "--repo REPO", "Repo to test") do |repo|
13
13
  args[:repo] = repo
@@ -17,6 +17,12 @@ module Sanctify
17
17
  args[:config] = YAML.load(File.open(config))
18
18
  end
19
19
 
20
+ opts.on("-d DIFF", "--diff DIFF", "Specify a diff or commit from which to check secrets") do |diff|
21
+ from, to = diff.split('..')
22
+ args[:from] = from
23
+ args[:to] = to
24
+ end
25
+
20
26
  opts.on("-h", "--help", "Prints this help") do
21
27
  puts opts
22
28
  exit
@@ -31,6 +31,14 @@ module Sanctify
31
31
  description: "AWS Secret Key",
32
32
  regex: /\b[\w\/&?=-@#$%\\^+]{40}\b/
33
33
  },
34
+ {
35
+ description: "SSH RSA Private Key",
36
+ regex: /^-----BEGIN RSA PRIVATE KEY-----$/
37
+ },
38
+ {
39
+ description: "X.509 Certificate",
40
+ regex: /^-----BEGIN CERTIFICATE-----$/
41
+ },
34
42
  {
35
43
  description: "Redis URL with Password",
36
44
  regex: /redis:\/\/[0-9a-zA-Z:@.\\-]+/
data/lib/sanctify/repo.rb CHANGED
@@ -3,20 +3,19 @@ require 'git'
3
3
  module Sanctify
4
4
  class Repo
5
5
  attr_reader :path, :git, :ignored_paths
6
- def initialize(path, ignored_paths = [])
7
- @path = path
6
+ def initialize(args, ignored_paths = [])
7
+ @path = args[:repo]
8
+ @to = args[:to] # The default for `to` in git.diff is nil
9
+ @from = args[:from] || 'HEAD'
8
10
  @git = Git.open(path)
9
11
  @ignored_paths = ignored_paths
10
12
  end
11
13
 
12
- def diff(from = 'HEAD', to = nil)
14
+ def diff
13
15
  # The diff processing is only done in the each method
14
16
  # so we'll call this method as a singleton so we don't accidentally
15
17
  # do this more than once per instance of the repo.
16
- #
17
- # NOTE: We expect this bydefault to be executed in a pre-commit hook
18
- # but we may want to extend it to work with a static git repo as well.
19
- @diff ||= git.diff(from, to).each.to_a
18
+ @diff ||= git.diff(@from, @to).each.to_a
20
19
  end
21
20
 
22
21
  def added_lines
@@ -7,7 +7,7 @@ module Sanctify
7
7
  attr_reader :config, :repo, :matcher_list
8
8
  def initialize(args)
9
9
  @config = args[:config] || {}
10
- @repo = Repo.new(args[:repo], ignored_paths)
10
+ @repo = Repo.new(args, ignored_paths)
11
11
  @matcher_list = MatcherList.new
12
12
  end
13
13
 
@@ -20,6 +20,7 @@ module Sanctify
20
20
  end
21
21
  end
22
22
  end
23
+ puts "SUCCESS! No Secrets Found in #{repo.path}"
23
24
  end
24
25
 
25
26
  private
@@ -1,3 +1,3 @@
1
1
  module Sanctify
2
- VERSION = "0.1.1"
2
+ VERSION = "0.2.0"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sanctify
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.1
4
+ version: 0.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ryan Canty
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2018-01-08 00:00:00.000000000 Z
11
+ date: 2018-01-09 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -109,7 +109,6 @@ files:
109
109
  - lib/sanctify/repo.rb
110
110
  - lib/sanctify/scanner.rb
111
111
  - lib/sanctify/version.rb
112
- - sanctify-0.1.0.gem
113
112
  - sanctify.gemspec
114
113
  homepage: https://github.com/onetwopunch/sanctify
115
114
  licenses:
data/sanctify-0.1.0.gem DELETED
Binary file