@ministryofjustice/hmpps-precommit-hooks 2.0.0-beta.5 → 2.0.0-beta.6

package/README.md

@@ -2,10 +2,12 @@
 
 This package aims to automatically install and configure pre-commit hooks using [prek](https://github.com/pre-commit/pre-commit) to help catch potential secrets and code quality issues before committing them to github.
 
+This uses devsecops-hooks to run gitleaks - further information about it's use can be found [here](https://github.com/ministryofjustice/devsecops-hooks).
+
 ## Status
 
 **This library is currently: ready to adopt.**
-Teams are welcome to use this library. Please provide feedback via slack to the `#typescript` channel.
+Teams are encouraged to use this library. Please provide feedback via slack to the `#typescript` channel.
 
 ## Migration from Husky
 
@@ -43,12 +45,16 @@ The package will create a `.pre-commit-config.yaml` file in your project root th
 HMPPS_HOOKS_VERSION: 1
 
 repos:
+  - repo: https://github.com/ministryofjustice/devsecops-hooks
+    rev: v1.4.1
+    hooks:
+      - id: baseline
+    env:
+      GITLEAKS_CONFIGURATION_FILE: ./.gitleaks/gitleaks.toml
+      GITLEAKS_IGNORE_FILE: ./.gitleaks/.gitleaksignore
+
   - repo: local
     hooks:
-      - id: gitleaks
-        name: Scan commit for secrets
-        language: system
-        entry: gitleaks git --pre-commit --redact --staged --verbose --config .gitleaks/config.toml --gitleaks-ignore-path .gitleaks/.gitleaksignore
       - id: lint
         name: linting code
         language: system
@@ -91,6 +97,8 @@ You can modify the `.pre-commit-config.yaml` file in your project to:
 
 See the [pre-commit documentation](https://pre-commit.com/) for more details on hook configuration.
 
+Also see [here](https://github.com/ministryofjustice/devsecops-hooks) for more information about the devsecops-hooks.
+
 ### Dealing with false positives
 
 When a secret is detected, gitleaks will create a fingerprint. If the secret is a false positive then this can be added to the `./gitleaks/.gitleaksignore` to exclude from future scans.
@@ -133,7 +141,7 @@ prek run --all-files
 Or run specific hooks:
 
 ```bash
-prek run gitleaks
+prek run baseline
 prek run lint
 ```
 
@@ -149,30 +157,41 @@ This should fail similarly to:
 
 ```bash
 > npx -p @ministryofjustice/hmpps-precommit-hooks -c test-secret-protection
-Creating test file containing dummy AWS_KEY=AKIA<SOME-VALUE>ASD
+Creating test file containing dummy key: 'fake_key=sk-2949185920abcdef'
 Attempting to commit file containing secret
-
-> some-project@0.0.1 precommit:secrets
-> gitleaks git --pre-commit --redact --staged --verbose
-
-
-    ○
-    │╲
-    │ ○
-    ○ ░
-    ░    gitleaks
-
-Finding:     fake__key=REDACTED
-Secret:      REDACTED
-RuleID:      aws-access-token
-Entropy:     3.546439
-File:        demo-password.txt
-Line:        1
-Fingerprint: demo-password.txt:aws-access-token:1
-
-12:49PM INF 1 commits scanned.
-12:49PM INF scanned ~34 bytes (34 bytes) in 20.7ms
-12:49PM WRN leaks found: 1
+🔐 Ministry of Justice - Scanner.........................................Failed
+- hook id: baseline
+- duration: 1.63s
+- exit code: 1
+
+  ⚡️ Ministry of Justice - Scanner 1.4.0 ⚡️
+
+
+      ○
+      │╲
+      │ ○
+      ○ ░
+      ░    gitleaks
+
+  Finding:     fake_key=REDACTED
+  Secret:      REDACTED
+  RuleID:      generic-api-key
+  Entropy:     3.892407
+  File:        demo-password.txt
+  Line:        1
+  Fingerprint: demo-password.txt:generic-api-key:1
+
+  9:51AM INF 0 commits scanned.
+  9:51AM INF scanned ~4868 bytes (4.87 KB) in 350ms
+  9:51AM WRN leaks found: 1
+linting code.........................................(no files to check)Skipped
+verify types.........................................(no files to check)Skipped
+running tests........................................(no files to check)Skipped
+fix end of files.........................................................Passed
+trim trailing whitespace.................................................Passed
+check json...............................................................Passed
+check yaml...............................................................Passed
+check for merge conflicts................................................Passed
 ```
 
 (This will create a `./demo-password.txt` file that will need to be deleted separately)

package/bin/prepare.sh

@@ -40,13 +40,6 @@ if ! command -v brew > /dev/null 2> /dev/null; then
   exit 0
 fi
 
-# Install gitleaks if not present - this will be used by prek for secret scanning until we move over to devsecops hooks
-if ! command -v gitleaks > /dev/null 2> /dev/null; then
-  startStage "Installing gitleaks"
-  brew install gitleaks
-  endStage " ✅ "
-fi
-
 # Install prek
 if ! command -v prek > /dev/null 2> /dev/null; then
   startStage "Installing prek"

package/default-hooks.yaml

@@ -5,19 +5,16 @@
 # Other hooks maybe added or removed as needed to suit individual project requirements.
 
 repos:
-  #. Temporary disabled while we investigate issues with it
-  #  - repo: https://github.com/ministryofjustice/devsecops-hooks
-  #    rev: v1.1.0
-  #    hooks:
-  #      - id: baseline
+  - repo: https://github.com/ministryofjustice/devsecops-hooks
+    rev: v1.4.1
+    hooks:
+      - id: baseline
+    env:
+      GITLEAKS_CONFIGURATION_FILE: ./.gitleaks/gitleaks.toml
+      GITLEAKS_IGNORE_FILE: ./.gitleaks/.gitleaksignore
+
   - repo: local
     hooks:
-      - id: gitleaks
-        name: Scan commit for secrets
-        language: system
-        entry: gitleaks git --pre-commit --redact --staged --verbose --config .gitleaks/config.toml --gitleaks-ignore-path .gitleaks/.gitleaksignore
-        require_serial: true
-        pass_filenames: false
       - id: lint
         name: linting code
         language: system

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ministryofjustice/hmpps-precommit-hooks",
-  "version": "2.0.0-beta.5",
+  "version": "2.0.0-beta.6",
   "description": "Precommit hooks for HMPPS typescript projects",
   "keywords": [
     "precommit"