diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..ef4867d --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,19 @@ +repos: + - repo: https://github.com/mxab/pre-commit-trivy.git + rev: v0.12.0 + hooks: + - id: trivyfs-docker + args: + - --scanners + - secret + - --secret-config + - /src/trivy-secret.yaml + - --skip-dirs + - /src/target + - --skip-dirs + - /src/.idea + - --skip-dirs + - /src/venv + - --skip-files + - /src/e2e/docker/localstack/kms/seed.yaml + - . diff --git a/trivy-secret.yaml b/trivy-secret.yaml new file mode 100644 index 0000000..38eaa8e --- /dev/null +++ b/trivy-secret.yaml @@ -0,0 +1,210 @@ +rules: + ################## + # UID2 Admin Key # + ################## + - id: uid2-admin-key-test + category: uid2 + title: UID2 - Admin Key - Test + severity: CRITICAL + keywords: + - UID2-A-T + regex: UID2-A-T-(?P.{6}\..{38}) + secret-group-name: secret + - id: uid2-admin-key-integ + category: uid2 + title: UID2 - Admin Key - Integ + severity: CRITICAL + keywords: + - UID2-A-I + regex: UID2-A-I-(?P.{6}\..{38}) + secret-group-name: secret + - id: uid2-admin-key-prod + category: uid2 + title: UID2 - Admin Key - Prod + severity: CRITICAL + keywords: + - UID2-A-P + regex: UID2-A-P-(?P.{6}\..{38}) + secret-group-name: secret + + ################### + # UID2 Client Key # + ################### + - id: uid2-client-key-test + category: uid2 + title: UID2 - Client Key - Test + severity: CRITICAL + keywords: + - UID2-C-T + regex: UID2-C-T-[0-9]+-(?P.{6}\..{38}) + secret-group-name: secret + - id: uid2-client-key-integ + category: uid2 + title: UID2 - Client Key - Integ + severity: CRITICAL + keywords: + - UID2-C-I + regex: UID2-C-I-[0-9]+-(?P.{6}\..{38}) + secret-group-name: secret + - id: uid2-client-key-prod + category: uid2 + title: UID2 - Client Key - Prod + severity: CRITICAL + keywords: + - UID2-C-P + regex: UID2-C-P-[0-9]+-(?P.{6}\..{38}) + secret-group-name: secret + + ##################### + # UID2 Operator Key # + ##################### + - id: uid2-operator-key-test + category: uid2 + title: UID2 - Operator Key - Test + severity: CRITICAL + keywords: + - UID2-O-T + regex: UID2-O-T-[0-9]+-(?P.{6}\..{38}) + secret-group-name: secret + - id: uid2-operator-key-integ + category: uid2 + title: UID2 - Operator Key - Integ + severity: CRITICAL + keywords: + - UID2-O-I + regex: UID2-O-I-[0-9]+-(?P.{6}\..{38}) + secret-group-name: secret + - id: uid2-operator-key-prod + category: uid2 + title: UID2 - Operator Key - Prod + severity: CRITICAL + keywords: + - UID2-O-P + regex: UID2-O-P-[0-9]+-(?P.{6}\..{38}) + secret-group-name: secret + + ######################################## + # UID2 Client Side Keypair Private Key # + ######################################## + - id: uid2-client-side-keypair-private-key-test + category: uid2 + title: UID2 - Client Side Keypair Private Key - Test + severity: CRITICAL + keywords: + - UID2-Y-T + regex: (?PUID2-Y-T-.{92}) + secret-group-name: secret + - id: uid2-client-side-keypair-private-key-integ + category: uid2 + title: UID2 - Client Side Keypair Private Key - Integ + severity: CRITICAL + keywords: + - UID2-Y-I + regex: (?PUID2-Y-I-.{92}) + secret-group-name: secret + - id: uid2-client-side-keypair-private-key-prod + category: uid2 + title: UID2 - Client Side Keypair Private Key - Prod + severity: CRITICAL + keywords: + - UID2-Y-P + regex: (?PUID2-Y-P-.{92}) + secret-group-name: secret + + ################## + # EUID Admin Key # + ################## + - id: euid-admin-key-test + category: euid + title: EUID - Admin Key - Test + severity: CRITICAL + keywords: + - EUID-A-T + regex: EUID-A-T-(?P.{6}\..{38}) + secret-group-name: secret + - id: euid-admin-key-integ + category: euid + title: EUID - Admin Key - Integ + severity: CRITICAL + keywords: + - EUID-A-I + regex: EUID-A-I-(?P.{6}\..{38}) + secret-group-name: secret + - id: euid-admin-key-prod + category: euid + title: EUID - Admin Key - Prod + severity: CRITICAL + keywords: + - EUID-A-P + regex: EUID-A-P-(?P.{6}\..{38}) + secret-group-name: secret + + ################### + # EUID Client Key # + ################### + - id: euid-client-key-test + category: euid + title: EUID - Client Key - Test + severity: CRITICAL + keywords: + - EUID-C-T + regex: EUID-C-T-[0-9]+-(?P.{6}\..{38}) + secret-group-name: secret + - id: euid-client-key-integ + category: euid + title: EUID - Client Key - Integ + severity: CRITICAL + keywords: + - EUID-C-I + regex: EUID-C-I-[0-9]+-(?P.{6}\..{38}) + secret-group-name: secret + - id: euid-client-key-prod + category: euid + title: EUID - Client Key - Prod + severity: CRITICAL + keywords: + - EUID-C-P + regex: EUID-C-P-[0-9]+-(?P.{6}\..{38}) + secret-group-name: secret + + ##################### + # EUID Operator Key # + ##################### + - id: euid-operator-key-test + category: euid + title: EUID - Operator Key - Test + severity: CRITICAL + keywords: + - EUID-O-T + regex: EUID-O-T-[0-9]+-(?P.{6}\..{38}) + secret-group-name: secret + - id: euid-operator-key-integ + category: euid + title: EUID - Operator Key - Integ + severity: CRITICAL + keywords: + - EUID-O-I + regex: EUID-O-I-[0-9]+-(?P.{6}\..{38}) + secret-group-name: secret + - id: euid-operator-key-prod + category: euid + title: EUID - Operator Key - Prod + severity: CRITICAL + keywords: + - EUID-O-P + regex: EUID-O-P-[0-9]+-(?P.{6}\..{38}) + secret-group-name: secret + +disable-allow-rules: + - tests + - examples + - vendor + - usr-dirs + - locale-dir + - markdown + - node.js + - golang + - python + - rubygems + - wordpress + - anaconda-log