enhancement: add git secrets scan to CI

aws · Jul 30, 2024 · ebc639e · ebc639e
1 parent 33de264
commit ebc639e
Show file tree

Hide file tree

Showing 2 changed files with 78 additions and 0 deletions.
diff --git a/.github/workflows/git-secrets-scan.yml b/.github/workflows/git-secrets-scan.yml
@@ -0,0 +1,77 @@
+name: Git Secrets Scan
+
+on:
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  git-secrets-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Set up Git Secrets
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y git
+          git clone https://github.com/awslabs/git-secrets.git
+          cd git-secrets
+          sudo make install
+          cd ..
+          git secrets --install
+          git secrets --register-aws
+
+      - name: Fetch previous commit
+        run: |
+          git fetch origin +refs/heads/${{ github.base_ref }}:refs/remotes/origin/${{ github.base_ref }}
+          export DIFF=$(git diff origin/${{ github.base_ref }} HEAD)
+          echo "${DIFF}" > diff.txt
+
+      - name: Filter out skipped patterns
+        run: |
+          skippedPrefixes=(
+            'src/data/s3control/2018-08-20/endpoint-tests-1.json.php'
+            'tests/DynamoDb/MarshalerTest.php'
+            '- '
+            '\[ERROR\]'
+            '\\n'
+            'PHP_EOL'
+            'Possible'
+            '/usr/local/bin/git-secrets:'
+            'tests/S3Control'
+            'tests/Arn'
+          )
+          
+          skippedRegexes=(
+            '/examples-/'
+            '/UpdateDataSourceRequest\$Credentials/'
+            '/"AccountId": "123456789012"/'
+            '/"AccountId": "999999999999"/'
+            '/"Username": "username"/'
+            '/"Password": "password"/'
+            '/RegisterUserResponse\$UserInvitationUrl/'
+          )
+
+          # Filter out lines matching skipped prefixes
+          for prefix in "${skippedPrefixes[@]}"; do
+            sed -i "\|${prefix}|d" diff.txt
+          done
+
+          # Filter out lines matching skipped regexes
+          for regex in "${skippedRegexes[@]}"; do
+            sed -i -E "${regex}d" diff.txt
+          done
+
+      - name: Run Git Secrets scan on filtered diff
+        run: |
+          if [ -s diff.txt ]; then
+            status=$?
+            if [ $status -ne 0 ]; then
+              exit $status
+            fi
+          else
+            echo "No differences found."
+          fi
diff --git a/tests/Credentials/CredentialProviderTest.php b/tests/Credentials/CredentialProviderTest.php
@@ -1762,6 +1762,7 @@ function ($c, $r) use ($result) {
 
     public function testEnsuresAssumeRoleWebIdentityProfileIsPresent()
     {
+        $accountId = '999999999999';
         $this->expectExceptionMessage("Unknown profile: fooProfile");
         $this->expectException(\Aws\Exception\CredentialsException::class);
         $dir = $this->clearEnv();