test: Add check for secrets in PRs (#775)

awslabs · Oct 28, 2021 · 963cc42 · 963cc42
1 parent e69c6a6
commit 963cc42
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 0 deletions.
diff --git a/.gitallowed b/.gitallowed
@@ -0,0 +1,13 @@
+# This file matches on the word Brazil (the country)
+main/solution/ui/src/css/semantic.min.css
+.gitallowed
+.github/workflows/unit-test-code-analysis.yml
+
+# Fake Account id used for testing
+123456789011
+999999999999
+012345678910
+111111111111
+012345678998
+123456789012
+333333333333
diff --git a/.github/workflows/unit-test-code-analysis.yml b/.github/workflows/unit-test-code-analysis.yml
@@ -46,3 +46,27 @@ jobs:
           pnpm run coverage --recursive --if-present --stream
       - name: CodeCov
         run: bash <(curl -s https://codecov.io/bash) -f ./coverage/coverage-final.json
+  scan-for-secrets:
+    name: Scan for secrets
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install Git Secret
+        run: |
+          cd ~
+          git clone https://github.com/awslabs/git-secrets.git && cd git-secrets
+          sudo make install
+          git secrets --register-aws --global
+          # Prevent leakage of internal tools
+          git secrets --add '[aA]pollo|[bB]razil|[cC]oral|[oO]din' --global
+          git secrets --add 'tt\.amazon\.com|issues\.amazon\.com|cr\.amazon\.com' --global
+          # Prevent leakage of aws-iso
+          git secrets --add 'ic\.gov|sgov\.gov' --global
+          git secrets --add 'us-iso|aws-iso' --global
+          git secrets --add 'smil\.mil' --global
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Run Git Secret
+        run: git secrets --scan
+      - name: Print remediation message
+        if: failure()
+        run: echo "Check if creds was leaked. If yes, revoke the credentials and create a new PR"