diff options
-rw-r--r-- | ci/pipelines/briefcase.nix | 19 | ||||
-rw-r--r-- | ci/secret-patterns.txt | 9 |
2 files changed, 10 insertions, 18 deletions
diff --git a/ci/pipelines/briefcase.nix b/ci/pipelines/briefcase.nix index 03ede2b9c72a..b01e9f93cb9f 100644 --- a/ci/pipelines/briefcase.nix +++ b/ci/pipelines/briefcase.nix @@ -3,24 +3,7 @@ let pipeline.steps = [ { - command = let - # Regexes to detect sensitive information - patterns = pkgs.writeText "secrets.txt" '' - (A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16} - ("|')?(AWS|aws|Aws)?_?(SECRET|secret|Secret)?_?(ACCESS|access|Access)?_?(KEY|key|Key)("|')?\s*(:|=>|=)\s*("|')?[A-Za-z0-9/\+=]{40}("|')? - ("|')?(AWS|aws|Aws)?_?(ACCOUNT|account|Account)_?(ID|id|Id)?("|')?\s*(:|=>|=)\s*("|')?[0-9]{4}\-?[0-9]{4}\-?[0-9]{4}("|')? - AIza[0-9A-Za-z_-]{35} - [0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com - (^|[^0-9A-Za-z/+])1/[0-9A-Za-z_-]{43} - (^|[^0-9A-Za-z/+])1/[0-9A-Za-z_-]{64} - ya29\.[0-9A-Za-z_-]+ - (sk|pk)_(test|live)_[a-zA-Z0-9]{99} - ''; - in '' - cat .git/config - ${pkgs.git-secrets}/bin/git-secrets --add-provider -- cat ${patterns} - ${pkgs.git-secrets}/bin/git-secrets --scan-history - ''; + command = "${pkgs.git-secrets}/bin/git-secrets --scan-history"; label = ":broom: lint"; } { diff --git a/ci/secret-patterns.txt b/ci/secret-patterns.txt new file mode 100644 index 000000000000..cbf58a1e744b --- /dev/null +++ b/ci/secret-patterns.txt @@ -0,0 +1,9 @@ +(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16} +("|')?(AWS|aws|Aws)?_?(SECRET|secret|Secret)?_?(ACCESS|access|Access)?_?(KEY|key|Key)("|')?\s*(:|=>|=)\s*("|')?[A-Za-z0-9/\+=]{40}("|')? +("|')?(AWS|aws|Aws)?_?(ACCOUNT|account|Account)_?(ID|id|Id)?("|')?\s*(:|=>|=)\s*("|')?[0-9]{4}\-?[0-9]{4}\-?[0-9]{4}("|')? +AIza[0-9A-Za-z_-]{35} +[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com +(^|[^0-9A-Za-z/+])1/[0-9A-Za-z_-]{43} +(^|[^0-9A-Za-z/+])1/[0-9A-Za-z_-]{64} +ya29\.[0-9A-Za-z_-]+ +(sk|pk)_(test|live)_[a-zA-Z0-9]{99} |