Put secret scanning behind setting (#1160)

harness · Mar 28, 2024 · 6093a4c · 6093a4c
1 parent bd2e9f4
commit 6093a4c
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 9 deletions.
diff --git a/app/api/controller/githook/git.go b/app/api/controller/githook/git.go
@@ -18,6 +18,7 @@ import (
  "context"
 
  "github.com/harness/gitness/git"
+ "github.com/harness/gitness/git/api"
 )
 
 // RestrictedGIT is a git client that is restricted to a subset of operations of git.Interface
@@ -29,4 +30,6 @@ type RestrictedGIT interface {
  IsAncestor(ctx context.Context, params git.IsAncestorParams) (git.IsAncestorOutput, error)
  ScanSecrets(ctx context.Context, param *git.ScanSecretsParams) (*git.ScanSecretsOutput, error)
  GetBranch(ctx context.Context, params *git.GetBranchParams) (*git.GetBranchOutput, error)
+ Diff(ctx context.Context, in *git.DiffParams, files ...api.FileDiffRequest) (<-chan *git.FileDiff, <-chan error)
+ GetBlob(ctx context.Context, params *git.GetBlobParams) (*git.GetBlobOutput, error)
 }
diff --git a/app/api/controller/githook/pre_receive_scan_secrets.go b/app/api/controller/githook/pre_receive_scan_secrets.go
@@ -18,6 +18,7 @@ import (
  "context"
  "fmt"
 
+ "github.com/harness/gitness/app/services/settings"
  "github.com/harness/gitness/errors"
  "github.com/harness/gitness/git"
  "github.com/harness/gitness/git/api"
@@ -44,7 +45,23 @@ func (c *Controller) scanSecrets(
  in types.GithookPreReceiveInput,
  output *hook.Output,
 ) error {
- glOut, err := scanSecretsInternal(
+ // check if scanning is enabled on the repo
+ scanningEnabled, err := settings.RepoGet(
+ ctx,
+ c.settings,
+ repo.ID,
+ settings.KeySecretScanningEnabled,
+ settings.DefaultSecretScanningEnabled,
+ )
+ if err != nil {
+ return fmt.Errorf("failed to check settings whether secret scanning is enabled: %w", err)
+ }
+ if !scanningEnabled {
+ return nil
+ }
+
+ // scan for secrets
+ scanResult, err := scanSecretsInternal(
  ctx,
  rgit,
  repo,
@@ -54,13 +71,15 @@ func (c *Controller) scanSecrets(
  return fmt.Errorf("failed to scan for git leaks: %w", err)
  }
 
- if glOut.HasResults() {
- printScanSecretsFindings(output, glOut.findings)
- output.Messages = append(output.Messages, "", "")
-
- output.Error = ptr.String("Changes blocked by security scan results")
+ if !scanResult.HasResults() {
+ return nil
  }
 
+ // pretty print output
+ printScanSecretsFindings(output, scanResult.findings)
+ output.Messages = append(output.Messages, "", "")
+ output.Error = ptr.String("Changes blocked by security scan results")
+
  return nil
 }
 
@@ -104,7 +123,7 @@ func scanSecretsInternal(ctx context.Context,
  log.Debug().Msgf("use latest dflt commit %s as comparison for new branch", latestDfltCommitSHA)
  }
 
- log.Debug().Msg("scan for gitleaks")
+ log.Debug().Msg("scan for secrets")
 
  scanSecretsOut, err := rgit.ScanSecrets(ctx, &git.ScanSecretsParams{
  ReadParams: git.ReadParams{
@@ -119,11 +138,11 @@ func scanSecretsInternal(ctx context.Context,
  }
 
  if len(scanSecretsOut.Findings) == 0 {
- log.Debug().Msg("no leaks found")
+ log.Debug().Msg("no new secrets found")
  continue
  }
 
- log.Debug().Msgf("found %d leaks", len(scanSecretsOut.Findings))
+ log.Debug().Msgf("found %d new secrets", len(scanSecretsOut.Findings))
 
  res.findings = append(res.findings, scanSecretsOut.Findings...)
  }