From 66d887777fb2cbb935706b1de2e96ed1a6f7e243 Mon Sep 17 00:00:00 2001
From: Savvas Kyriacou <savvasky@uk.ibm.com>
Date: Thu, 30 May 2024 16:52:41 +0100
Subject: [PATCH 1/4] created detect-secrets baseline and added call to build
 locally script

Signed-off-by: Savvas Kyriacou <savvasky@uk.ibm.com>
---
 .secrets.baseline | 85 +++++++++++++++++++++++++++++++++++++++++++++++
 build-locally.sh  | 28 +++++++++++++++-
 2 files changed, 112 insertions(+), 1 deletion(-)
 create mode 100644 .secrets.baseline

diff --git a/.secrets.baseline b/.secrets.baseline
new file mode 100644
index 00000000..68a99d59
--- /dev/null
+++ b/.secrets.baseline
@@ -0,0 +1,85 @@
+{
+  "exclude": {
+    "files": ".*/src/test/.*|^/Users/savvas/Documents/GitHub/extensions/.secrets.baseline$",
+    "lines": null
+  },
+  "generated_at": "2024-05-30T15:51:49Z",
+  "plugins_used": [
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "base64_limit": 4.5,
+      "name": "Base64HighEntropyString"
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "BoxDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "ghe_instance": "github.ibm.com",
+      "name": "GheDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "hex_limit": 3,
+      "name": "HexHighEntropyString"
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "keyword_exclude": null,
+      "name": "KeywordDetector"
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "results": {},
+  "version": "0.13.1+ibm.62.dss",
+  "word_list": {
+    "file": null,
+    "hash": null
+  }
+}
diff --git a/build-locally.sh b/build-locally.sh
index c53128cc..2b5750a1 100755
--- a/build-locally.sh
+++ b/build-locally.sh
@@ -75,6 +75,16 @@ LOGS_DIR - Optional. Where logs are placed. Defaults to creating a temporary dir
 EOF
 }
 
+function check_exit_code () {
+    # This function takes 3 parameters in the form:
+    # $1 an integer value of the expected exit code
+    # $2 an error message to display if $1 is not equal to 0
+    if [[ "$1" != "0" ]]; then 
+        error "$2" 
+        exit 1  
+    fi
+}
+
 #-----------------------------------------------------------------------------------------                   
 # Process parameters
 #-----------------------------------------------------------------------------------------                   
@@ -180,7 +190,8 @@ function build_with_gradle {
     ${goals}"
     info "Using command: $cmd"
     $cmd 2>&1 > ${log_file}
-    rc=$? ; if [[ "${rc}" != "0" ]]; then cat ${log_file} ; error "Failed to build ${project} with gradle." ; exit 1 ; fi
+    rc=$? 
+     check_exit_code 0 "Failed to build ${project} with gradle."
 }
 
 function displayCouchDbCodeCoverage {
@@ -196,8 +207,23 @@ function displayCouchDbCodeCoverage {
     info "See html report here: file://${BASEDIR}/galasa-extensions-parent/dev.galasa.ras.couchdb/build/jacocoHtml/index.html"
 }
 
+function check_secrets {
+    h2 "updating secrets baseline"
+    detect-secrets scan --exclude-files '.*/src/test/.*' --update ${BASEDIR}/.secrets.baseline
+    rc=$? 
+    check_exit_code $rc "Failed to run detect-secrets. Please check it is installed properly" 
+    success "updated secrets file"
+
+    h2 "running audit for secrets"
+    detect-secrets audit ${BASEDIR}/.secrets.baseline
+    rc=$? 
+    check_exit_code 0 "Failed to audit detect-secrets."
+    success "secrets audit complete"
+}
+
 clean_maven_repo
 build_with_gradle
 displayCouchDbCodeCoverage
+check_secrets
 
 success "Project ${project} built - OK - log is at ${log_file}"
\ No newline at end of file

From acc849096cd5b7c590ac0b042f2bd94ffe11ab83 Mon Sep 17 00:00:00 2001
From: Savvas Kyriacou <savvasky@uk.ibm.com>
Date: Thu, 30 May 2024 16:58:23 +0100
Subject: [PATCH 2/4] corrected filepath issue with basline file

Signed-off-by: Savvas Kyriacou <savvasky@uk.ibm.com>
---
 .secrets.baseline | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.secrets.baseline b/.secrets.baseline
index 68a99d59..784e03bd 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -1,6 +1,6 @@
 {
   "exclude": {
-    "files": ".*/src/test/.*|^/Users/savvas/Documents/GitHub/extensions/.secrets.baseline$",
+    "files": ".*/src/test/.*|.*/.secrets.baseline$",
     "lines": null
   },
   "generated_at": "2024-05-30T15:51:49Z",

From 4104b40a091a80f60e75d2708a63378272d46df9 Mon Sep 17 00:00:00 2001
From: Savvas Kyriacou <savvasky@uk.ibm.com>
Date: Fri, 31 May 2024 13:58:47 +0100
Subject: [PATCH 3/4] created detect-secrets baseline and added call to build
 locally script

Signed-off-by: Savvas Kyriacou <savvasky@uk.ibm.com>
---
 .secrets.baseline | 4 ++--
 build-locally.sh  | 9 +++++----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/.secrets.baseline b/.secrets.baseline
index 784e03bd..82286da5 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -1,9 +1,9 @@
 {
   "exclude": {
-    "files": ".*/src/test/.*|.*/.secrets.baseline$",
+    "files": ".*/src/test/.*|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-05-30T15:51:49Z",
+  "generated_at": "2024-05-31T12:57:28Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
diff --git a/build-locally.sh b/build-locally.sh
index 2b5750a1..1e4cf9d2 100755
--- a/build-locally.sh
+++ b/build-locally.sh
@@ -191,7 +191,7 @@ function build_with_gradle {
     info "Using command: $cmd"
     $cmd 2>&1 > ${log_file}
     rc=$? 
-     check_exit_code 0 "Failed to build ${project} with gradle."
+    check_exit_code $rc "Failed to build ${project} with gradle."
 }
 
 function displayCouchDbCodeCoverage {
@@ -209,15 +209,16 @@ function displayCouchDbCodeCoverage {
 
 function check_secrets {
     h2 "updating secrets baseline"
-    detect-secrets scan --exclude-files '.*/src/test/.*' --update ${BASEDIR}/.secrets.baseline
+    cd ${BASEDIR}
+    detect-secrets scan --exclude-files '.*/src/test/.*' --update .secrets.baseline
     rc=$? 
     check_exit_code $rc "Failed to run detect-secrets. Please check it is installed properly" 
     success "updated secrets file"
 
     h2 "running audit for secrets"
-    detect-secrets audit ${BASEDIR}/.secrets.baseline
+    detect-secrets audit .secrets.baseline
     rc=$? 
-    check_exit_code 0 "Failed to audit detect-secrets."
+    check_exit_code $rc "Failed to audit detect-secrets."
     success "secrets audit complete"
 }
 

From 4d3469dcf69f9b44a2160ed89053dd6c0692eb7d Mon Sep 17 00:00:00 2001
From: Savvas Kyriacou <savvasky@uk.ibm.com>
Date: Mon, 3 Jun 2024 11:11:39 +0100
Subject: [PATCH 4/4] added test files to detect-secrets and audited the
 secrets

Signed-off-by: Savvas Kyriacou <savvasky@uk.ibm.com>
---
 .secrets.baseline |  4 ++--
 build-locally.sh  | 10 +++++++++-
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/.secrets.baseline b/.secrets.baseline
index 82286da5..bc173c72 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -1,9 +1,9 @@
 {
   "exclude": {
-    "files": ".*/src/test/.*|^.secrets.baseline$",
+    "files": "^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-05-31T12:57:28Z",
+  "generated_at": "2024-06-03T10:11:05Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
diff --git a/build-locally.sh b/build-locally.sh
index 1e4cf9d2..27f67a0c 100755
--- a/build-locally.sh
+++ b/build-locally.sh
@@ -210,7 +210,7 @@ function displayCouchDbCodeCoverage {
 function check_secrets {
     h2 "updating secrets baseline"
     cd ${BASEDIR}
-    detect-secrets scan --exclude-files '.*/src/test/.*' --update .secrets.baseline
+    detect-secrets scan --update .secrets.baseline
     rc=$? 
     check_exit_code $rc "Failed to run detect-secrets. Please check it is installed properly" 
     success "updated secrets file"
@@ -219,6 +219,14 @@ function check_secrets {
     detect-secrets audit .secrets.baseline
     rc=$? 
     check_exit_code $rc "Failed to audit detect-secrets."
+    
+    #Check all secrets have been audited
+    secrets=$(grep -c hashed_secret .secrets.baseline)
+    audits=$(grep -c is_secret .secrets.baseline)
+    if [[ "$secrets" != "$audits" ]]; then 
+        error "Not all secrets found have been audited"
+        exit 1  
+    fi
     success "secrets audit complete"
 }