From 3479c8a78e5a7a8074dc8edf214953416d6516cf Mon Sep 17 00:00:00 2001
From: asloob qureshi <asloob.qureshi@thetradedesk.com>
Date: Fri, 5 Apr 2024 10:39:06 -0700
Subject: [PATCH 1/2] Add pre-commit and trivy scan configs

---
 .pre-commit-config.yaml |  17 ++++
 trivy-secret.yaml       | 210 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 227 insertions(+)
 create mode 100644 .pre-commit-config.yaml
 create mode 100644 trivy-secret.yaml

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..db1c10e
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,17 @@
+repos:
+  - repo: https://github.com/mxab/pre-commit-trivy.git
+    rev: v0.5.1
+    hooks:
+      - id: trivyfs-docker
+        args:
+          - --scanners
+          - secret
+          - --secret-config
+          - /src/trivy-secret.yaml
+          - --skip-dirs
+          - /src/target
+          - --skip-dirs
+          - /src/.idea
+          - --skip-files
+          - /src/e2e/docker/localstack/kms/seed.yaml
+          - .
diff --git a/trivy-secret.yaml b/trivy-secret.yaml
new file mode 100644
index 0000000..38eaa8e
--- /dev/null
+++ b/trivy-secret.yaml
@@ -0,0 +1,210 @@
+rules:
+  ##################
+  # UID2 Admin Key #
+  ##################
+  - id: uid2-admin-key-test
+    category: uid2
+    title: UID2 - Admin Key - Test
+    severity: CRITICAL
+    keywords:
+      - UID2-A-T
+    regex: UID2-A-T-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: uid2-admin-key-integ
+    category: uid2
+    title: UID2 - Admin Key - Integ
+    severity: CRITICAL
+    keywords:
+      - UID2-A-I
+    regex: UID2-A-I-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: uid2-admin-key-prod
+    category: uid2
+    title: UID2 - Admin Key - Prod
+    severity: CRITICAL
+    keywords:
+      - UID2-A-P
+    regex: UID2-A-P-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+
+  ###################
+  # UID2 Client Key #
+  ###################
+  - id: uid2-client-key-test
+    category: uid2
+    title: UID2 - Client Key - Test
+    severity: CRITICAL
+    keywords:
+      - UID2-C-T
+    regex: UID2-C-T-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: uid2-client-key-integ
+    category: uid2
+    title: UID2 - Client Key - Integ
+    severity: CRITICAL
+    keywords:
+      - UID2-C-I
+    regex: UID2-C-I-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: uid2-client-key-prod
+    category: uid2
+    title: UID2 - Client Key - Prod
+    severity: CRITICAL
+    keywords:
+      - UID2-C-P
+    regex: UID2-C-P-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+
+  #####################
+  # UID2 Operator Key #
+  #####################
+  - id: uid2-operator-key-test
+    category: uid2
+    title: UID2 - Operator Key - Test
+    severity: CRITICAL
+    keywords:
+      - UID2-O-T
+    regex: UID2-O-T-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: uid2-operator-key-integ
+    category: uid2
+    title: UID2 - Operator Key - Integ
+    severity: CRITICAL
+    keywords:
+      - UID2-O-I
+    regex: UID2-O-I-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: uid2-operator-key-prod
+    category: uid2
+    title: UID2 - Operator Key - Prod
+    severity: CRITICAL
+    keywords:
+      - UID2-O-P
+    regex: UID2-O-P-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+
+  ########################################
+  # UID2 Client Side Keypair Private Key #
+  ########################################
+  - id: uid2-client-side-keypair-private-key-test
+    category: uid2
+    title: UID2 - Client Side Keypair Private Key - Test
+    severity: CRITICAL
+    keywords:
+      - UID2-Y-T
+    regex: (?P<secret>UID2-Y-T-.{92})
+    secret-group-name: secret
+  - id: uid2-client-side-keypair-private-key-integ
+    category: uid2
+    title: UID2 - Client Side Keypair Private Key - Integ
+    severity: CRITICAL
+    keywords:
+      - UID2-Y-I
+    regex: (?P<secret>UID2-Y-I-.{92})
+    secret-group-name: secret
+  - id: uid2-client-side-keypair-private-key-prod
+    category: uid2
+    title: UID2 - Client Side Keypair Private Key - Prod
+    severity: CRITICAL
+    keywords:
+      - UID2-Y-P
+    regex: (?P<secret>UID2-Y-P-.{92})
+    secret-group-name: secret
+
+  ##################
+  # EUID Admin Key #
+  ##################
+  - id: euid-admin-key-test
+    category: euid
+    title: EUID - Admin Key - Test
+    severity: CRITICAL
+    keywords:
+      - EUID-A-T
+    regex: EUID-A-T-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: euid-admin-key-integ
+    category: euid
+    title: EUID - Admin Key - Integ
+    severity: CRITICAL
+    keywords:
+      - EUID-A-I
+    regex: EUID-A-I-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: euid-admin-key-prod
+    category: euid
+    title: EUID - Admin Key - Prod
+    severity: CRITICAL
+    keywords:
+      - EUID-A-P
+    regex: EUID-A-P-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+
+  ###################
+  # EUID Client Key #
+  ###################
+  - id: euid-client-key-test
+    category: euid
+    title: EUID - Client Key - Test
+    severity: CRITICAL
+    keywords:
+      - EUID-C-T
+    regex: EUID-C-T-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: euid-client-key-integ
+    category: euid
+    title: EUID - Client Key - Integ
+    severity: CRITICAL
+    keywords:
+      - EUID-C-I
+    regex: EUID-C-I-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: euid-client-key-prod
+    category: euid
+    title: EUID - Client Key - Prod
+    severity: CRITICAL
+    keywords:
+      - EUID-C-P
+    regex: EUID-C-P-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+
+  #####################
+  # EUID Operator Key #
+  #####################
+  - id: euid-operator-key-test
+    category: euid
+    title: EUID - Operator Key - Test
+    severity: CRITICAL
+    keywords:
+      - EUID-O-T
+    regex: EUID-O-T-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: euid-operator-key-integ
+    category: euid
+    title: EUID - Operator Key - Integ
+    severity: CRITICAL
+    keywords:
+      - EUID-O-I
+    regex: EUID-O-I-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+  - id: euid-operator-key-prod
+    category: euid
+    title: EUID - Operator Key - Prod
+    severity: CRITICAL
+    keywords:
+      - EUID-O-P
+    regex: EUID-O-P-[0-9]+-(?P<secret>.{6}\..{38})
+    secret-group-name: secret
+
+disable-allow-rules:
+  - tests
+  - examples
+  - vendor
+  - usr-dirs
+  - locale-dir
+  - markdown
+  - node.js
+  - golang
+  - python
+  - rubygems
+  - wordpress
+  - anaconda-log

From 17019d6fa0eb00e50843f5ffdba6aa0410827614 Mon Sep 17 00:00:00 2001
From: asloob qureshi <asloob.qureshi@thetradedesk.com>
Date: Fri, 5 Apr 2024 10:50:00 -0700
Subject: [PATCH 2/2] update trivy version and include venv in path

---
 .pre-commit-config.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index db1c10e..ef4867d 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/mxab/pre-commit-trivy.git
-    rev: v0.5.1
+    rev: v0.12.0
     hooks:
       - id: trivyfs-docker
         args:
@@ -12,6 +12,8 @@ repos:
           - /src/target
           - --skip-dirs
           - /src/.idea
+          - --skip-dirs
+          - /src/venv
           - --skip-files
           - /src/e2e/docker/localstack/kms/seed.yaml
           - .