shuttlerock_shared_config 0.2.31 → 0.2.32

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8f344aa5b492eade85bde5c058ca82a0924a994a3f99428ce1ab4605a658e5c0
-  data.tar.gz: c57afb357d64b55ca5dd05e036c2cc7b514100dd38e6cfc7ed1c3a62084ae1c5
+  metadata.gz: f860efc08c45b143efe1269e873978274e9f2cc0b7bfa1d153503dedc8324767
+  data.tar.gz: 51a8f8d7c980b3e27604bee962eb67546e109e180270cfbfe0c12ac37dad200f
 SHA512:
-  metadata.gz: 8b3b405287866c57ed68ff932b4dcd46152d1b724ca719108a8c447a69a3e62c878286d362fc143aac6361090f92cb0e243d143377c6d22fe7ca75c73f476869
-  data.tar.gz: a7791ea0fe0b3c755ad13a5edaaa62fa62e55f552fa992adeabfc75030f676c3c4a6a6676a4e770d6d162025742fcc2261d3a5baf4f8362a28c1297e04eec22e
+  metadata.gz: 3b142dfb076a5f67db27dbc62faa1d5155f42915e8767c89dd6a75a019bd3bcc405459dbfdd81d94319545f8cc344cf68feac5a600a64914075d8d0b0eacc9f3
+  data.tar.gz: 1500ae49faf0bdcbca9344cb52a532d2a8e13f7660f68bd9831276d72f463a83d5c42576470bdfd08b985a05f45b4fd794d0e4c0b68159fc2a88b535139ecc6f

data/lib/shuttlerock_shared_config/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ShuttlerockSharedConfig
-  VERSION = '0.2.31'
+  VERSION = '0.2.32'
 end

data/lib/tasks/tasks.rb

@@ -4,7 +4,7 @@ require 'rake'
 require 'fileutils'
 
 namespace :shuttlerock_shared_config do
-  task update: %i[update_codeclimate update_eslint update_rubocop update_stylelintrc update_dangerfile update_pull_request_template update_codecov] do
+  task update: %i[update_codeclimate update_eslint update_rubocop update_stylelintrc update_dangerfile update_pull_request_template update_codecov update_gitleaks] do
   end
 
   desc 'Update .codeclimate.yml'
@@ -69,4 +69,17 @@ namespace :shuttlerock_shared_config do
     FileUtils.copy(input_path, Dir.pwd)
     warn('Updated codecov.yml')
   end
+
+  desc 'Update gitleaks'
+  task :update_gitleaks do
+    input_path = File.expand_path('../../lib/templates/gitleaks.yml', __dir__)
+    result_dir = Dir.pwd + '/.github/workflows'
+    FileUtils.mkdir_p(result_dir) unless File.directory?(result_dir)
+    FileUtils.copy(input_path, result_dir)
+    warn('Updated /.github/workflows/gitleaks.yml')
+
+    input_path = File.expand_path('../../lib/templates/.gitleaks.toml', __dir__)
+    FileUtils.copy(input_path, Dir.pwd)
+    warn('Updated .gitleaks.toml')
+  end
 end

data/lib/templates/.gitleaks.toml

@@ -0,0 +1,194 @@
+title = "gitleaks config"
+
+[[rules]]
+	description = "AWS Manager ID"
+	regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
+	tags = ["key", "AWS"]
+
+[[rules]]
+	description = "AWS cred file info"
+	regex = '''(?i)(aws_access_key_id|aws_secret_access_key)(.{0,20})?=.[0-9a-zA-Z\/+]{20,40}'''
+	tags = ["AWS"]
+
+[[rules]]
+	description = "AWS Secret Key"
+	regex = '''(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]'''
+	tags = ["key", "AWS"]
+
+[[rules]]
+	description = "AWS MWS key"
+	regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'''
+	tags = ["key", "AWS", "MWS"]
+
+[[rules]]
+	description = "Facebook Secret Key"
+	regex = '''(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]'''
+	tags = ["key", "Facebook"]
+
+[[rules]]
+	description = "Facebook Client ID"
+	regex = '''(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]'''
+	tags = ["key", "Facebook"]
+
+[[rules]]
+	description = "Twitter Secret Key"
+	regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{35,44}['\"]'''
+	tags = ["key", "Twitter"]
+
+[[rules]]
+	description = "Twitter Client ID"
+	regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{18,25}['\"]'''
+	tags = ["client", "Twitter"]
+
+[[rules]]
+	description = "Github"
+	regex = '''(?i)github(.{0,20})?(?-i)['\"][0-9a-zA-Z]{35,40}['\"]'''
+	tags = ["key", "Github"]
+
+[[rules]]
+	description = "LinkedIn Client ID"
+	regex = '''(?i)linkedin(.{0,20})?(?-i)['\"][0-9a-z]{12}['\"]'''
+	tags = ["client", "LinkedIn"]
+
+[[rules]]
+	description = "LinkedIn Secret Key"
+	regex = '''(?i)linkedin(.{0,20})?['\"][0-9a-z]{16}['\"]'''
+	tags = ["secret", "LinkedIn"]
+
+[[rules]]
+	description = "Slack"
+	regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?'''
+	tags = ["key", "Slack"]
+
+[[rules]]
+	description = "EC"
+	regex = '''-----BEGIN EC PRIVATE KEY-----'''
+	tags = ["key", "EC"]
+
+
+[[rules]]
+	description = "Google API key"
+	regex = '''AIza[0-9A-Za-z\\-_]{35}'''
+	tags = ["key", "Google"]
+
+
+[[rules]]
+	description = "Heroku API key"
+	regex = '''(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]'''
+	tags = ["key", "Heroku"]
+
+[[rules]]
+	description = "MailChimp API key"
+	regex = '''(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]'''
+	tags = ["key", "Mailchimp"]
+
+[[rules]]
+	description = "Mailgun API key"
+	regex = '''(?i)(mailgun|mg)(.{0,20})?['"][0-9a-z]{32}['"]'''
+	tags = ["key", "Mailgun"]
+
+[[rules]]
+	description = "PayPal Braintree access token"
+	regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}'''
+	tags = ["key", "Paypal"]
+
+[[rules]]
+	description = "Picatic API key"
+	regex = '''sk_live_[0-9a-z]{32}'''
+	tags = ["key", "Picatic"]
+
+[[rules]]
+	description = "Slack Webhook"
+	regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}'''
+	tags = ["key", "slack"]
+
+[[rules]]
+	description = "Stripe API key"
+	regex = '''(?i)stripe(.{0,20})?['\"][sk|rk]_live_[0-9a-zA-Z]{24}'''
+	tags = ["key", "Stripe"]
+
+[[rules]]
+	description = "Square access token"
+	regex = '''sq0atp-[0-9A-Za-z\-_]{22}'''
+	tags = ["key", "square"]
+
+[[rules]]
+	description = "Square OAuth secret"
+	regex = '''sq0csp-[0-9A-Za-z\\-_]{43}'''
+	tags = ["key", "square"]
+
+[[rules]]
+	description = "Twilio API key"
+	regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]'''
+	tags = ["key", "twilio"]
+
+[[rules]]
+	description = "Env Var"
+	regex = '''(?i)(apikey|secret|key|api|password|pass|pw|host)=[0-9a-zA-Z-_.{}]{4,120}'''
+
+[[rules]]
+	description = "Port"
+	regex = '''(?i)port(.{0,4})?[0-9]{1,10}'''
+	[rules.allowlist]
+		regexes = ['''(?i)port ''']
+		description = "ignore export "
+
+
+
+[[rules]]
+	description = "Email"
+	regex = '''[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}'''
+	tags = ["email"]
+	[rules.allowlist]
+		files = ['''(?i)bashrc''']
+		description = "ignore bashrc emails"
+
+
+[[rules]]
+	description = "Generic Credential"
+	regex = '''(?i)(dbpasswd|dbuser|dbname|dbhost|api_key|apikey|secret|key|api|password|user|guid|hostname|pw|auth)(.{0,20})?['|"]([0-9a-zA-Z-_\/+!{}/=]{4,120})['|"]'''
+	tags = ["key", "API", "generic"]
+	# ignore leaks with specific identifiers like slack and aws
+	[rules.allowlist]
+		description = "ignore slack, mailchimp, aws"
+		regexes = [
+		    '''xox[baprs]-([0-9a-zA-Z]{10,48})''',
+		    '''(?i)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]''',
+		    '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
+		]
+
+[[rules]]
+	description = "High Entropy"
+	regex = '''[0-9a-zA-Z-_!{}/=]{4,120}'''
+  	file = '''(?i)(dump.sql|high-entropy-misc.txt)$'''
+	tags = ["entropy"]
+    [[rules.Entropies]]
+        Min = "4.3"
+        Max = "7.0"
+    [rules.allowlist]
+        description = "ignore ssh key and pems"
+        files = ['''(pem|ppk|env)$''']
+        paths = ['''(.*)?ssh''']
+
+[[rules]]
+	description = "Potential bash var"
+	regex='''(?i)(=)([0-9a-zA-Z-_!{}=]{4,120})'''
+	tags = ["key", "bash", "API", "generic"]
+        [[rules.Entropies]]
+            Min = "3.5"
+            Max = "4.5"
+            Group = "1"
+
+[[rules]]
+	description = "WP-Config"
+	regex='''define(.{0,20})?(DB_CHARSET|NONCE_SALT|LOGGED_IN_SALT|AUTH_SALT|NONCE_KEY|DB_HOST|DB_PASSWORD|AUTH_KEY|SECURE_AUTH_KEY|LOGGED_IN_KEY|DB_NAME|DB_USER)(.{0,20})?['|"].{10,120}['|"]'''
+	tags = ["key", "API", "generic"]
+
+[[rules]]
+	description = "Files with keys and credentials"
+    file = '''(?i)(id_rsa|passwd|id_rsa.pub|pgpass|pem|key|shadow)'''
+
+# Global allowlist
+[allowlist]
+	description = "image allowlists"
+	files = ['''(.*?)(jpg|gif|doc|pdf|bin)$''']

data/lib/templates/.rubocop.yml

@@ -45,6 +45,15 @@ Layout/HashAlignment:
 Rails/ApplicationController:
   Enabled: true
 
+Rails/AfterCommitOverride:
+  Enabled: true
+
+Rails/SquishedSQLHeredocs:
+  Enabled: true
+
+Rails/WhereNot:
+  Enabled: true
+
 Style/Documentation:
   Enabled: false
 
@@ -77,9 +86,33 @@ Naming/MethodParameterName:
 Naming/BlockParameterName:
   MinNameLength: 2
 
+Lint/ConstantDefinitionInBlock:
+  Enabled: true
+
 Lint/DeprecatedOpenSSLConstant:
   Enabled: true
 
+Lint/DuplicateRequire:
+  Enabled: true
+
+Lint/EmptyFile:
+  Enabled: true
+
+Lint/IdentityComparison:
+  Enabled: true
+
+Lint/TrailingCommaInAttributeDeclaration:
+  Enabled: true
+
+Lint/UselessMethodDefinition:
+  Enabled: true
+
+Lint/UselessTimes:
+  Enabled: true
+
+Layout/BeginEndAlignment:
+  Enabled: true
+
 Layout/EmptyLinesAroundBlockBody:
   Enabled: false
 
@@ -115,6 +148,9 @@ Style/ClassAndModuleChildren:
   Enabled:       true
   EnforcedStyle: compact
 
+Style/CombinableLoops:
+  Enabled: true
+
 Style/ExponentialNotation:
   Enabled: false
 
@@ -130,6 +166,9 @@ Style/HashTransformKeys:
 Style/HashTransformValues:
   Enabled: true
 
+Style/KeywordParametersOrder:
+  Enabled: true
+
 Style/RedundantReturn:
   Enabled: false
 
@@ -139,9 +178,15 @@ Style/RedundantRegexpCharacterClass:
 Style/RedundantRegexpEscape:
   Enabled: false
 
+Style/RedundantSelfAssignment:
+  Enabled: true
+
 Style/SlicingWithRange:
   Enabled: true
 
+Style/SoleNestedConditional:
+  Enabled: true
+
 Style/TrailingCommaInArguments:
   Enabled:                   true
   EnforcedStyleForMultiline: comma

data/lib/templates/gitleaks.yml

@@ -0,0 +1,11 @@
+name: gitleaks
+
+on: [push,pull_request]
+
+jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v1
+    - name: gitleaks-action
+      uses: zricethezav/gitleaks-action@master

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shuttlerock_shared_config
 version: !ruby/object:Gem::Version
-  version: 0.2.31
+  version: 0.2.32
 platform: ruby
 authors:
 - ElseThen
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-09-08 00:00:00.000000000 Z
+date: 2020-10-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -80,12 +80,14 @@ files:
 - lib/templates/.codeclimate.yml
 - lib/templates/.env.example
 - lib/templates/.eslintrc
+- lib/templates/.gitleaks.toml
 - lib/templates/.rubocop.yml
 - lib/templates/.stylelintrc
 - lib/templates/Dangerfile
 - lib/templates/PULL_REQUEST_TEMPLATE.md
 - lib/templates/codecov.yml
 - lib/templates/env_list.yml
+- lib/templates/gitleaks.yml
 homepage: https://github.com/Shuttlerock/shuttlerock_shared_config
 licenses:
 - MIT