diff --git a/.dockerignore b/.dockerignore index c3e64e53..f695fe6d 100644 --- a/.dockerignore +++ b/.dockerignore @@ -8,7 +8,6 @@ node_modules/ Dockerfile .git -.git-crypt .idea **/__tests__ diff --git a/Dockerfile b/Dockerfile index 5b08431d..36e71832 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,16 +12,6 @@ RUN yum -y -q update && \ php php-cli && \ yum -y -q clean all -# Git-crypt -ENV GIT_CRYPT_VERSION=0.6.0 -RUN cd /tmp && \ - wget --quiet https://www.agwa.name/projects/git-crypt/downloads/git-crypt-${GIT_CRYPT_VERSION}.tar.gz && \ - tar xzf git-crypt* && \ - cd git-crypt* && \ - make && \ - make install && \ - rm -rf /tmp/git-crypt* - # Get nodejs repos ENV NODE_VERSION=10.10.0 RUN curl --silent --location https://rpm.nodesource.com/setup_8.x | bash - diff --git a/README.md b/README.md index 96c2fdc9..c3f6fc0f 100644 --- a/README.md +++ b/README.md @@ -166,7 +166,7 @@ README.md There are a few options available: #### -a, --all: Running against all files rather than git tree -Hawkeye by default will attempt to detect a .git folder in your target, if it is there it will only scan git tracked files. Further to that, if a .git-crypt folder is detected, we will also exclude files which are GPG encrypted. If there is no .git in the target directory, then all files will be scanned. +Hawkeye by default will attempt to detect a .git folder in your target, if it is there it will only scan git tracked files. If there is no .git in the target directory, then all files will be scanned. You can override this behaviour with the `--all` flag, which will scan all files regardless. @@ -188,7 +188,7 @@ This will post the results to a SumoLogic HTTP collector. See the SumoLogic sec #### -e, --exclude : Exclude files that match a specified RegEx pattern This parameter (which can be specified multiple times) allows you to specify patterns you wish to be excluded from the scan. For example `hawkeye scan -e "^test/"` would exclude all your test files. All paths are __relative__ to the `--target`. -There are some global exclusions in place, and those are "^.git", "^.git-crypt" and "^node_modules". +There are some global exclusions in place, and those are "^.git", "^node_modules". #### -l, --file-limit : Set limit on number of files to be scanned (Defaults to 1000) The `--file-limit` allows you to set a higher file limit thab the default (1000). This is useful when the target directory includes more files. @@ -259,9 +259,6 @@ $ hawkeye scan [info] Node Check Updates dynamically loaded [info] Node Security Project dynamically loaded [info] git repo detected, will only use git tracked files -[info] git-crypt detected, excluding files covered by GPG encryption -[info] -> git-crypt status -e -[info] Files excluded by git-crypt: 0 [info] -> git ls-tree --full-tree --name-only -r HEAD [info] Files included in scan: 62 [info] Target for scan: /Users/kstoney/git/stono/hawkeye diff --git a/lib/__tests__/rc-unit.js b/lib/__tests__/rc-unit.js index 2c0db78a..a775424a 100644 --- a/lib/__tests__/rc-unit.js +++ b/lib/__tests__/rc-unit.js @@ -72,7 +72,7 @@ describe('RC', () => { describe('when files not present', () => { it('should default the excludes', () => { - expect(noRc.exclude).to.deep.equal([/^node_modules\//, /^.git\//, /^.git-crypt\//, /package-lock.json/]) + expect(noRc.exclude).to.deep.equal([/^node_modules\//, /^.git\//, /package-lock.json/]) }) it('should default the modules to all', () => { expect(noRc.modules).to.deep.equal(['all']) @@ -89,7 +89,7 @@ describe('RC', () => { }).to.throw() }) it('should concat the excludes together', () => { - expect(rc.exclude).to.deep.equal([/^node_modules\//, /^.git\//, /^.git-crypt\//, /package-lock.json/, /^another\//]) + expect(rc.exclude).to.deep.equal([/^node_modules\//, /^.git\//, /package-lock.json/, /^another\//]) }) it('should replace the modules', () => { expect(rc.modules).to.deep.equal(['contents', 'entropy', 'files', 'node-npmoutdated', 'node-npmaudit']) diff --git a/lib/file-manager.js b/lib/file-manager.js index f6834fcf..dd12877d 100644 --- a/lib/file-manager.js +++ b/lib/file-manager.js @@ -55,31 +55,17 @@ module.exports = class FileManager { }) } - gatherEncryptedFiles (cwd) { - if (!fs.existsSync(path.join(cwd, '.git-crypt'))) return [] - - logger.log('git-crypt detected, excluding files covered by GPG encryption') - let { stdout } = exec.commandSync('git-crypt status -e', { cwd }) - let encrypted = stdout.split('\n').map(f => f.split('encrypted: ').slice(-1)[0]) - logger.log('Files excluded by git-crypt:', encrypted.length) - return encrypted - } - allFilesGit (cwd) { - let encrypted = this.gatherEncryptedFiles(cwd) exec.commandSync('git ls-tree --full-tree --name-only -r HEAD', { cwd }) .stdout.trim() .split('\n') - .filter(f => encrypted.indexOf(f) === -1) .forEach(f => this.addFile(f)) } allFilesGitStaged (cwd) { - let encrypted = this.gatherEncryptedFiles(cwd) exec.commandSync('git --no-pager diff --name-only --staged', { cwd }) .stdout.trim() .split('\n') - .filter(f => encrypted.indexOf(f) === -1) .forEach(f => this.addFile(f)) } diff --git a/lib/rc.js b/lib/rc.js index 17cbb3bf..00b7a9c1 100644 --- a/lib/rc.js +++ b/lib/rc.js @@ -11,7 +11,7 @@ const logger = require('./logger') module.exports = class RC { constructor () { - this.exclude = [/^node_modules\//, /^.git\//, /^.git-crypt\//, /package-lock.json/] + this.exclude = [/^node_modules\//, /^.git\//, /package-lock.json/] this.failOn = 'low' this.modules = ['all'] this.all = false