From 676ce4dc6288fa30ef28772f2fd37872022c3342 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Wed, 23 Apr 2025 21:43:11 +0530 Subject: [PATCH 1/8] policy-scan.yml --- .github/workflows/policy-scan.yml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/policy-scan.yml b/.github/workflows/policy-scan.yml index 13bd362..ff25923 100644 --- a/.github/workflows/policy-scan.yml +++ b/.github/workflows/policy-scan.yml @@ -24,4 +24,23 @@ jobs: - uses: actions/checkout@master - name: Checks for License file run: | - if ! [[ -f "LICENSE" || -f "License.txt" || -f "LICENSE.md" ]]; then exit 1; fi \ No newline at end of file + expected_license_files=("LICENSE" "LICENSE.txt" "LICENSE.md" "License.txt") + license_file_found=false + current_year=$(date +"%Y") + + for license_file in "${expected_license_files[@]}"; do + if [ -f "$license_file" ]; then + license_file_found=true + # check the license file for the current year, if not exists, exit with error + if ! grep -q "$current_year" "$license_file"; then + echo "License file $license_file does not contain the current year." + exit 2 + fi + break + fi + done + + if [ "$license_file_found" = false ]; then + echo "No license file found. Please add a license file to the repository." + exit 1 + fi \ No newline at end of file From 9048ef5ef77aadfff9581e2f513e21e3f78927b9 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 5 May 2025 22:16:58 +0530 Subject: [PATCH 2/8] policy-scan.yml From 8a459d9d3e9103143e535015ac318fe8a741056c Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 5 May 2025 22:17:05 +0530 Subject: [PATCH 3/8] issues-jira.yml From 017b4def0b7dd4e805b76b3a0bc53bbc761e7baa Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 5 May 2025 22:17:06 +0530 Subject: [PATCH 4/8] secrets-scan.yml --- .github/workflows/secrets-scan.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/secrets-scan.yml diff --git a/.github/workflows/secrets-scan.yml b/.github/workflows/secrets-scan.yml new file mode 100644 index 0000000..049c02f --- /dev/null +++ b/.github/workflows/secrets-scan.yml @@ -0,0 +1,29 @@ +name: Secrets Scan +on: + pull_request: + types: [opened, synchronize, reopened] +jobs: + security-secrets: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: '2' + ref: '${{ github.event.pull_request.head.ref }}' + - run: | + git reset --soft HEAD~1 + - name: Install Talisman + run: | + # Download Talisman + wget https://github.com/thoughtworks/talisman/releases/download/v1.37.0/talisman_linux_amd64 -O talisman + + # Checksum verification + checksum=$(sha256sum ./talisman | awk '{print $1}') + if [ "$checksum" != "8e0ae8bb7b160bf10c4fa1448beb04a32a35e63505b3dddff74a092bccaaa7e4" ]; then exit 1; fi + + # Make it executable + chmod +x talisman + - name: Run talisman + run: | + # Run Talisman with the pre-commit hook + ./talisman --githook pre-commit \ No newline at end of file From b5a068c6f3ddcc168a586ff0e0170205718192b9 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 5 May 2025 22:17:11 +0530 Subject: [PATCH 5/8] Updated codeowners From 4aa44d9ae44a230b8e5f54c24e6c3063e59243ea Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 5 May 2025 23:37:30 +0530 Subject: [PATCH 6/8] talismanrc file updated --- .talismanrc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.talismanrc b/.talismanrc index dbc73fd..7052891 100644 --- a/.talismanrc +++ b/.talismanrc @@ -1,3 +1,6 @@ fileignoreconfig: +- filename: .github/workflows/secrets-scan.yml + ignore_detectors: + - filecontent - filename: package-lock.json checksum: 9746d3b1ac67da5dc0f3ec6f8798166bc8b9c1e4c736de01f7c52b2f9cc194be From d49d19ddc090c658ff38f07bc2ce5cbde3eb6626 Mon Sep 17 00:00:00 2001 From: "harshitha.d" Date: Fri, 23 May 2025 18:31:52 +0530 Subject: [PATCH 7/8] chore: enhance precommit hook with snyk and talisman scans --- .gitignore | 2 ++ .husky/pre-commit | 69 +++++++++++++++++++++++++++++++++++++++++++++-- .talismanrc | 2 ++ package.json | 1 + 4 files changed, 72 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 1c6d246..7dc81df 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,5 @@ tap-html.html dist/ coverage/ .dccache +snyk_output.log +talisman_output.log \ No newline at end of file diff --git a/.husky/pre-commit b/.husky/pre-commit index 9c7ed53..4f1fbbc 100755 --- a/.husky/pre-commit +++ b/.husky/pre-commit @@ -1,4 +1,69 @@ #!/usr/bin/env sh -. "$(dirname -- "$0")/_/husky.sh" +# Pre-commit hook to run Snyk and Talisman scans, completing both before deciding to commit -npm run test \ No newline at end of file +# Function to check if a command exists +command_exists() { + command -v "$1" >/dev/null 2>&1 +} + +# Check if Snyk is installed +if ! command_exists snyk; then + echo "Error: Snyk is not installed. Please install it and try again." + exit 1 +fi + +# Check if Talisman is installed +if ! command_exists talisman; then + echo "Error: Talisman is not installed. Please install it and try again." + exit 1 +fi + +# Allow bypassing the hook with an environment variable +if [ "$SKIP_HOOK" = "1" ]; then + echo "Skipping Snyk and Talisman scans (SKIP_HOOK=1)." + exit 0 +fi + +# Initialize variables to track scan results +snyk_failed=false +talisman_failed=false + +# Run Snyk vulnerability scan +echo "Running Snyk vulnerability scan..." +snyk test --all-projects > snyk_output.log 2>&1 +snyk_exit_code=$? + +if [ $snyk_exit_code -eq 0 ]; then + echo "Snyk scan passed: No vulnerabilities found." +elif [ $snyk_exit_code -eq 1 ]; then + echo "Snyk found vulnerabilities. See snyk_output.log for details." + snyk_failed=true +else + echo "Snyk scan failed with error (exit code $snyk_exit_code). See snyk_output.log for details." + snyk_failed=true +fi + +# Run Talisman secret scan (continues even if Snyk failed) +echo "Running Talisman secret scan..." +talisman --githook pre-commit > talisman_output.log 2>&1 +talisman_exit_code=$? + +if [ $talisman_exit_code -eq 0 ]; then + echo "Talisman scan passed: No secrets found." +else + echo "Talisman scan failed (exit code $talisman_exit_code). See talisman_output.log for details." + talisman_failed=true +fi + +# Evaluate results after both scans +if [ "$snyk_failed" = true ] || [ "$talisman_failed" = true ]; then + echo "Commit aborted due to issues found in one or both scans." + [ "$snyk_failed" = true ] && echo "- Snyk issues: Check snyk_output.log" + [ "$talisman_failed" = true ] && echo "- Talisman issues: Check talisman_output.log" + exit 1 +fi + +# If both scans pass, allow the commit +echo "All scans passed. Proceeding with commit.cd ." +rm -f snyk_output.log talisman_output.log +exit 0 \ No newline at end of file diff --git a/.talismanrc b/.talismanrc index dbc73fd..9968b5f 100644 --- a/.talismanrc +++ b/.talismanrc @@ -1,3 +1,5 @@ fileignoreconfig: - filename: package-lock.json checksum: 9746d3b1ac67da5dc0f3ec6f8798166bc8b9c1e4c736de01f7c52b2f9cc194be +- filename: src/entry-editable.ts + checksum: f9c4694229205fca252bb087482a3e408c6ad3b237cd108e337bcff49458db5c diff --git a/package.json b/package.json index 1027eb5..c23bd12 100644 --- a/package.json +++ b/package.json @@ -28,6 +28,7 @@ "format": "prettier --write \"src/**/*.ts\"", "prepare": "husky install && npm run build", "prepublishOnly": "npm test", + "pre-commit": "husky install && husky && chmod +x .husky/pre-commit && ./.husky/pre-commit", "version": "npm run format && git add -A src", "postversion": "git push && git push --tags" }, From 3304c83efdf49526edde65ad4373af657db4b27b Mon Sep 17 00:00:00 2001 From: "harshitha.d" Date: Mon, 26 May 2025 13:08:09 +0530 Subject: [PATCH 8/8] chore: add husky pre-commit to talisman ignore configuration --- .talismanrc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.talismanrc b/.talismanrc index 9968b5f..44db2a5 100644 --- a/.talismanrc +++ b/.talismanrc @@ -3,3 +3,5 @@ fileignoreconfig: checksum: 9746d3b1ac67da5dc0f3ec6f8798166bc8b9c1e4c736de01f7c52b2f9cc194be - filename: src/entry-editable.ts checksum: f9c4694229205fca252bb087482a3e408c6ad3b237cd108e337bcff49458db5c +- filename: .husky/pre-commit + checksum: 5baabd7d2c391648163f9371f0e5e9484f8fb90fa2284cfc378732ec3192c193 \ No newline at end of file