run secret scan

NHSDigital · Nov 28, 2024 · 74fe622 · 74fe622
1 parent 5e0a3ac
commit 74fe622
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 0 deletions.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -8,6 +8,13 @@
     "context": "..",
     "args": {}
   },
+  "features": {
+    "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {
+      "version": "latest",
+      "moby": "true",
+      "installDockerBuildx": "true"
+    }
+  },
   "mounts": [
     "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind",
     "source=${env:HOME}${env:USERPROFILE}/.gnupg,target=/home/vscode/.gnupg,type=bind"
@@ -52,5 +59,6 @@
       }
     }
   },
+  "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" },
   "postCreateCommand": "rm -f ~/.docker/config.json; git config --global --add safe.directory /workspaces/nhs-eps-spine-client; make install; direnv allow ."
 }
diff --git a/.gitallowed b/.gitallowed
@@ -0,0 +1,18 @@
+token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"?
+github-token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"?
+token: ?"?\$\{\{\s*secrets\.DEPENDABOT_TOKEN\s*\}\}"?
+id-token: write
+--token=\$\{\{\s*steps\.generate-token\.outputs\.token\s*\}\}
+--token=\$GITHUB-TOKEN
+--token="\$GITHUB-TOKEN"
+.*Gemfile\.lock.*
+.*\.gitallowed.*
+.*nhsd-rules-deny.txt.*
+.*\.venv.*
+.*node_modules.*
+.:src/resources/clinical_content_view.*root=*
+.:src/resources/clinical_content_view.*codeSystem=*
+.:src/resources/prescription_search.*root=*
+.:src/live-spine-client.*root=*
+0ba20a521167058a74f3b6e65c42d732054e5753:docs.*
+0ba20a521167058a74f3b6e65c42d732054e5753:scripts/.*
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -40,5 +40,15 @@ repos:
         types_or: [yaml]
         pass_filenames: false
 
+  - repo: local
+    hooks:
+      - id: git-secrets
+        name: Git Secrets
+        description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories.
+        entry: bash
+        args:
+          - -c
+          - 'docker run -v "$LOCAL_WORKSPACE_FOLDER:/src" git-secrets --pre_commit_hook'
+        language: system
 fail_fast: true
 default_stages: [commit]