├── .circleci ├── build-osx-cross.sh └── config.yml ├── .gitignore ├── LICENSE ├── README.rst ├── build.sh ├── check.go ├── config.go ├── gitseekret.go ├── glide.lock ├── glide.yaml ├── hook_pre-commit.go ├── main.go ├── main_check.go ├── main_config.go ├── main_hook.go └── main_rules.go /.circleci/build-osx-cross.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | cd /tmp 5 | git clone https://github.com/tpoechtrager/osxcross.git 6 | cd osxcross 7 | curl --progress-bar -L https://github.com/phracker/MacOSX-SDKs/releases/download/10.13/MacOSX10.11.sdk.tar.xz -o tarballs/MacOSX10.11.sdk.tar.xz 8 | UNATTENDED=1 OSX_VERSION_MIN=10.8 ./build.sh -------------------------------------------------------------------------------- /.circleci/config.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | jobs: 3 | build-linux: 4 | docker: 5 | # CircleCI Go images available at: https://hub.docker.com/r/circleci/golang/ 6 | - image: circleci/golang:1.8 7 | 8 | working_directory: /go/src/github.com/18F/git-seekret 9 | 10 | steps: 11 | - checkout 12 | - run: sudo sh -c 'echo "deb http://ftp.us.debian.org/debian/ unstable main contrib non-free" >> /etc/apt/sources.list' 13 | - run: sudo apt-get update -qq 14 | - run: sudo apt-get install -y pkg-config cmake shellcheck 15 | - run: shellcheck build.sh 16 | - run: ./build.sh 17 | - store_artifacts: 18 | path: ./dist 19 | # - deploy: 20 | # name: Deploy to github when on master 21 | # command: | 22 | # if [ "${CIRCLE_BRANCH}" == "master" ]; then 23 | # go get github.com/tcnksm/ghr 24 | # ghr -t $GITHUB_TOKEN -u $CIRCLE_PROJECT_USERNAME -r $CIRCLE_PROJECT_REPONAME --replace `git describe --tags` dist/ 25 | # fi 26 | build-osx: 27 | docker: 28 | # CircleCI Go images available at: https://hub.docker.com/r/circleci/golang/ 29 | - image: circleci/golang:1.8 30 | 31 | working_directory: /go/src/github.com/18F/git-seekret 32 | 33 | steps: 34 | - checkout 35 | - run: sudo sh -c 'echo "deb http://ftp.us.debian.org/debian/ unstable main contrib non-free" >> /etc/apt/sources.list' 36 | - run: sudo apt-get update -qq 37 | - run: sudo apt-get install -y pkg-config cmake shellcheck clang llvm-dev libxml2-dev uuid-dev libssl-dev file bash patch make gcc g++ zlib1g-dev libmpc-dev libmpfr-dev libgmp-dev tar xz-utils bzip2 gzip sed cpio 38 | - run: shellcheck build.sh 39 | - run: ./.circleci/build-osx-cross.sh 40 | - run: export CROSS_DIR=/tmp/osxcross/target && export PATH=$CROSS_DIR/bin:$PATH && export SDKROOT="$CROSS_DIR/SDK/MacOSX10.11.sdk" && export OSTYPE=darwin15 && ./build.sh 41 | - store_artifacts: 42 | path: ./dist 43 | # - deploy: 44 | # name: Deploy to github when on master 45 | # command: | 46 | # if [ "${CIRCLE_BRANCH}" == "master" ]; then 47 | # go get github.com/tcnksm/ghr 48 | # ghr -t $GITHUB_TOKEN -u $CIRCLE_PROJECT_USERNAME -r $CIRCLE_PROJECT_REPONAME --replace `git describe --tags` dist/ 49 | # fi 50 | 51 | workflows: 52 | version: 2 53 | build_all: 54 | jobs: 55 | - build-linux 56 | - build-osx 57 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | git-seekret 3 | vendor 4 | releases 5 | libgit* 6 | *.tar.gz 7 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright 2016 - Albert Puigsech Galicia 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.rst: -------------------------------------------------------------------------------- 1 | |Build Status| 2 | 3 | =========== 4 | git-seekret 5 | =========== 6 | 7 | Git module that prevents you from committing sensitive information into your repositories. 8 | 9 | Description 10 | =========== 11 | 12 | ``git-seekret`` inspects commits and/or staged (and uncommitted) files, to 13 | prevent you from adding sensitive information into git repositories. You can integrate it 14 | with git hooks, forcing it to analyze all staged files before they are 15 | included into a commit. 16 | 17 | For more about how and why 18F uses this module, see `"Automated scanning for sensitive information in the development lifecycle" 18 | `_. 19 | 20 | 21 | Installing git-seekret 22 | ====================== 23 | 24 | You need the following tools and libraries to make it work properly: 25 | 26 | * glide 27 | * pkg-config 28 | * golang >= 1.6 29 | * libgit >= 2.24 30 | 31 | 32 | ``git-seekret`` uses ``Glide`` to maintain its dependencies. 33 | 34 | Follow the instructions for installing Glide: https://github.com/Masterminds/glide#install 35 | 36 | :: 37 | 38 | glide install 39 | go build 40 | 41 | This builds a binary ``git-seekret``. Currently, there is no cross platform way to install ``git-seekret`` (e.g. Install via Brew for OS X). To make the binary widely available to the user, you need to copy it to the system's ``bin`` folder. 42 | 43 | :: 44 | 45 | cp ./git-seekret /usr/local/bin 46 | 47 | Usage 48 | ===== 49 | 50 | :: 51 | 52 | General Options: 53 | 54 | NAME: 55 | git-seekret - prevent from committing sensitive information into git repository 56 | 57 | USAGE: 58 | git-seekret [global options] command [command options] [arguments...] 59 | 60 | VERSION: 61 | 0.0.1 62 | 63 | AUTHOR(S): 64 | Albert Puigsech Galicia 65 | 66 | COMMANDS: 67 | config manage configuration seetings 68 | rules manage rules 69 | check inspect git repository 70 | hook manage git hooks 71 | help, h Shows a list of commands or help for one command 72 | 73 | GLOBAL OPTIONS: 74 | --global 75 | --help, -h show help 76 | --version, -v print the version 77 | 78 | 79 | ``--global`` 80 | 81 | 82 | Rules and Exceptions 83 | ==================== 84 | 85 | The definition of rules and exceptions for ``git-seekret`` are defined by the `seekret go library. Proper documentation for this library can be found here: 86 | 87 | https://github.com/apuigsech/seekret 88 | 89 | Once you download the secrets, you will need to set your ``SEEKRET_RULES_PATH`` environment variable to point to the location of the rules. 90 | This is needed because by default, the ``seekret`` library will look for the rules in ``$GOPATH/src/github.com/apuigsech/seekret/rules``. 91 | 92 | 93 | Hands-On 94 | ======== 95 | 96 | The repository seekret-secrets is prepared to test ``git-seekret`, and can be used to perform the following hands-on examples: 97 | 98 | :: 99 | 100 | $ git clone https://github.com/apuigsech/seekret-secrets 101 | 102 | $ cd seekret-secrets 103 | 104 | $ git seekret config --init 105 | Config: 106 | version = 1 107 | rulespath = /Users/apuigsech/Develop//.go/src/github.com/apuigsech/seekret/rules 108 | rulesenabled = 109 | exceptionsfile = 110 | 111 | $ git seekret rules 112 | List of rules: 113 | [ ] aws.secret_key 114 | [ ] aws.access_key 115 | [ ] certs.rsa 116 | [ ] certs.generic 117 | [ ] certs.pgp 118 | [ ] password.pass 119 | [ ] password.cred 120 | [ ] password.password 121 | [ ] password.pwd 122 | [ ] unix.passwd 123 | 124 | $ git seekret rules --enable password.password 125 | List of rules: 126 | [ ] aws.secret_key 127 | [ ] aws.access_key 128 | [ ] certs.generic 129 | [ ] certs.pgp 130 | [ ] certs.rsa 131 | [x] password.password 132 | [ ] password.pwd 133 | [ ] password.pass 134 | [ ] password.cred 135 | [ ] unix.passwd 136 | 137 | $ git seekret check -c 1 # Check on last commit. 138 | Found Secrets: 9 139 | secret_6:2 140 | - Metadata: 141 | commit: 442d574a5e233d9cec7d245f7c85177cd1a827e4 142 | uniq-id: e4ac21ceef17fff49d2f0d1fdd46f0abe7d0f62c 143 | - Rule: 144 | password.password 145 | - Content: 146 | password = 's3cr3t' 147 | secret_8:5 148 | - Metadata: 149 | uniq-id: 373978394eb25268890ebee17966024300f3997b 150 | commit: 442d574a5e233d9cec7d245f7c85177cd1a827e4 151 | - Rule: 152 | password.password 153 | - Content: 154 | password = 'thisISnotSECRET' 155 | 156 | ... 157 | 158 | $ git seekret check -s # Check on staged files. 159 | Found Secrets: 0 160 | 161 | $ echo "password = 'this is super secret'" > new_file 162 | 163 | $ git add new_file 164 | 165 | $ git seekret check -s 166 | Found Secrets: 1 167 | new_file:1 168 | - Metadata: 169 | status: test 170 | - Rule: 171 | password.password 172 | - Content: 173 | password = 'this is super secret' 174 | 175 | 176 | 177 | .. |Build Status| image:: https://travis-ci.org/apuigsech/git-seekret.svg 178 | :target: https://travis-ci.org/apuigsech/seekret 179 | :width: 88px 180 | :height: 20px 181 | -------------------------------------------------------------------------------- /build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This build script will any binaries that the laptop script needs 4 | # and places them inside the releases folder. 5 | # The binaries will only be targeted to Mac OS X (64-bit) 6 | # After the binaries are compiled, you will need to put them in 7 | # a GitHub Release for them to be publiclly accessible. 8 | set -e 9 | 10 | LIBGITVER="0.25.1" 11 | LIBSSHVER="1.8.0" 12 | LIBCURLVER="7.54.0" 13 | OPENSSLVER="1.0.2k" 14 | 15 | RELEASE_PATH=$(pwd)/releases 16 | BIN_RELEASE_PATH=$(pwd)/dist 17 | 18 | function compile_openssl() { 19 | rm -rf openssl-${OPENSSLVER} 20 | if [ ! -f openssl-${OPENSSLVER}.tar.gz ]; then 21 | curl --progress-bar -L -o openssl-${OPENSSLVER}.tar.gz https://www.openssl.org/source/openssl-${OPENSSLVER}.tar.gz 22 | fi 23 | tar -xzf openssl-${OPENSSLVER}.tar.gz 24 | pushd openssl-${OPENSSLVER} 25 | ./Configure "$OPENSSL_TARGET" no-shared no-ssl2 no-ssl3 no-zlib --prefix="${RELEASE_PATH}/openssl" --openssldir="${RELEASE_PATH}/openssl" 26 | make depend && make 27 | make install 28 | popd 29 | } 30 | 31 | function compile_libssh() { 32 | compile_openssl 33 | 34 | rm -rf libssh2-${LIBSSHVER} 35 | 36 | if [ ! -f libssh2-${LIBSSHVER}.tar.gz ]; then 37 | curl --progress-bar -L -o libssh2-${LIBSSHVER}.tar.gz https://www.libssh2.org/download/libssh2-${LIBSSHVER}.tar.gz 38 | fi 39 | tar -xzf libssh2-${LIBSSHVER}.tar.gz 40 | pushd libssh2-${LIBSSHVER} 41 | export PKG_CONFIG_PATH="${RELEASE_PATH}/openssl/lib/pkgconfig:${PKG_CONFIG_PATH}" 42 | export LIBSSL_PCFILE="${RELEASE_PATH}/openssl/lib/pkgconfig/libssl.pc" 43 | export LIBCRYPTO_PCFILE="${RELEASE_PATH}/openssl/lib/pkgconfig/libcrypto.pc" 44 | LIBSSL_CFLAGS=$(pkg-config --static --cflags "$LIBSSL_PCFILE") || exit 1 45 | LIBCRYPTO_CFLAGS=$(pkg-config --static --cflags "$LIBCRYPTO_PCFILE") || exit 1 46 | LIBSSL_LDFLAGS=$(pkg-config --static --libs-only-L "$LIBSSL_PCFILE") || exit 1 47 | LIBCRYPTO_LDFLAGS=$(pkg-config --static --libs-only-L "$LIBCRYPTO_PCFILE") || exit 1 48 | LIBSSL_LIBS=$(pkg-config --static --libs-only-l --libs-only-other "$LIBSSL_PCFILE") || exit 1 49 | LIBCRYPTO_LIBS=$(pkg-config --static --libs-only-l --libs-only-other "$LIBCRYPTO_PCFILE") || exit 1 50 | export LDFLAGS="${LIBSSL_LDFLAGS} ${LIBCRYPTO_LDFLAGS} ${LDFLAGS}" 51 | export CFLAGS="${LIBSSL_CFLAGS} ${LIBCRYPTO_CFLAGS} ${CFLAGS}" 52 | export LIBS="${LIBSSL_LIBS} ${LIBCRYPTO_LIBS} ${LIBS}" 53 | ./configure --target="$HOSTCONFIG" --build="$BUILDCONFIG" --host="$HOSTCONFIG" --disable-examples-build --disable-shared --with-libssl-prefix="${RELEASE_PATH}/openssl" --prefix="${RELEASE_PATH}/libssh2" 54 | make && make install 55 | popd 56 | } 57 | 58 | function compile_libcurl() { 59 | compile_libssh 60 | 61 | rm -rf curl-${LIBCURLVER} 62 | if [ ! -f curl-${LIBCURLVER}.tar.gz ]; then 63 | curl --progress-bar -L -o curl-${LIBCURLVER}.tar.gz https://curl.haxx.se/download/curl-${LIBCURLVER}.tar.gz 64 | fi 65 | tar -xzf curl-${LIBCURLVER}.tar.gz 66 | pushd curl-${LIBCURLVER} 67 | export PKG_CONFIG_PATH="${RELEASE_PATH}/libssh2/lib/pkgconfig:${PKG_CONFIG_PATH}" 68 | export LIBSSH2_PCFILE="${RELEASE_PATH}/libssh2/lib/pkgconfig/libssh2.pc" 69 | LIBSSH2_CFLAGS=$(pkg-config --static --cflags "${LIBSSH2_PCFILE}") || exit 1 70 | LIBSSH2_LDFLAGS=$(pkg-config --static --libs-only-L "${LIBSSH2_PCFILE}") || exit 1 71 | LIBSSH2_LIBS=$(pkg-config --static --libs-only-l --libs-only-other "${LIBSSH2_PCFILE}") || exit 1 72 | export LDFLAGS="${LIBSSH2_LDFLAGS} ${LDFLAGS}" 73 | export CFLAGS="${LIBSSH2_CFLAGS} ${CFLAGS}" 74 | export LIBS="${LIBSSH2_LIBS} ${LIBS}" 75 | ./configure --target="$HOSTCONFIG" --build="$BUILDCONFIG" --host="$HOSTCONFIG" --with-ssl="${RELEASE_PATH}/openssl" --with-libssh2="${RELEASE_PATH}/libssh2" --without-librtmp --disable-ldap --disable-shared --prefix="${RELEASE_PATH}/curl" 76 | make && make install 77 | popd 78 | } 79 | 80 | function compile_libgit() { 81 | compile_libcurl 82 | 83 | rm -rf "$RELEASE_PATH/libgit2" 84 | rm -rf libgit2-${LIBGITVER} 85 | if [ ! -f libgit2-${LIBGITVER}.tar.gz ]; then 86 | curl --progress-bar -L -o libgit2-${LIBGITVER}.tar.gz https://github.com/libgit2/libgit2/archive/v${LIBGITVER}.tar.gz 87 | fi 88 | tar -xzf libgit2-${LIBGITVER}.tar.gz 89 | mkdir -p libgit2-${LIBGITVER}/build 90 | export PKG_CONFIG_PATH="${RELEASE_PATH}/curl/lib/pkgconfig:${PKG_CONFIG_PATH}" 91 | export LIBCURL_PCFILE="${RELEASE_PATH}/curl/lib/pkgconfig/libcurl.pc" 92 | pushd libgit2-${LIBGITVER}/build 93 | cmake -DCMAKE_SYSTEM_NAME="$CMAKE_SYSTEM_NAME" \ 94 | -DCMAKE_C_COMPILER="${CC:-gcc}" \ 95 | -DTHREADSAFE=ON \ 96 | -DBUILD_CLAR=OFF \ 97 | -DBUILD_SHARED_LIBS=OFF \ 98 | -DCMAKE_C_FLAGS="-fPIC ${CFLAGS}"\ 99 | -DCMAKE_INSTALL_PREFIX="$RELEASE_PATH/libgit2" .. 100 | cmake --build . --target install 101 | popd 102 | } 103 | 104 | function compile_git_seekrets() { 105 | 106 | if which go > /dev/null; then 107 | echo "Found Go toolchain" 108 | else 109 | echo "Go toolchain does not exist." 110 | if [ "x$OS" == "xdarwin" ]; then 111 | brew install go 112 | else 113 | echo "Please install golang from your package manager or from https://golang.org/dl/" 114 | exit 1 115 | fi 116 | fi 117 | 118 | if [ -z "$GOPATH" ]; then 119 | export GOPATH=/go 120 | fi 121 | 122 | # build it 123 | case $OSTYPE in 124 | linux*) 125 | export GOOS=linux 126 | export HOSTCONFIG=x86_64-unknown-linux-gnu 127 | export BUILDCONFIG="$HOSTCONFIG" 128 | export OPENSSL_TARGET="linux-x86_64" 129 | export CMAKE_SYSTEM_NAME=Linux 130 | SUFFIX=linux 131 | ;; 132 | darwin*) 133 | export GOOS=darwin 134 | export HOSTCONFIG=x86_64-apple-darwin15 135 | export BUILDCONFIG="$HOSTCONFIG" 136 | export OPENSSL_TARGET="darwin64-x86_64-cc" 137 | export CMAKE_SYSTEM_NAME=Darwin 138 | SUFFIX=osx 139 | if [ -n "$CROSS_DIR" ]; then 140 | export CC="$HOSTCONFIG-clang" 141 | export CXX="$HOSTCONFIG-clang++" 142 | export MAKEDEPPROG="$CC" 143 | export AR="${HOSTCONFIG}-ar" 144 | export AS="${HOSTCONFIG}-as" 145 | export LD="${HOSTCONFIG}-ld" 146 | export LIBTOOL="${HOSTCONFIG}-libtool" 147 | export RANLIB="${HOSTCONFIG}-ranlib" 148 | export NM="${HOSTCONFIG}-nm" 149 | export BUILDCONFIG=x86_64-unknown-linux-gnu 150 | fi 151 | ;; 152 | *) 153 | echo "unknown platform: $OSTYPE" 154 | echo "Trying to build anyway" 155 | SUFFIX=$OSTYPE 156 | ;; 157 | esac 158 | 159 | compile_libgit 160 | 161 | if which glide > /dev/null; then 162 | echo "Found glide" 163 | else 164 | echo "glide does not exist. Installing..." 165 | (curl --progress-bar https://glide.sh/get | sh) 166 | fi 167 | rm -rf vendor 168 | glide install 169 | ln -sf "$(pwd)/libgit2-${LIBGITVER}/build" "${GOPATH}/src/github.com/18F/git-seekret/vendor/github.com/libgit2/git2go/vendor/libgit2/build" 170 | 171 | export GOARCH=amd64 172 | export PKG_CONFIG_PATH="${RELEASE_PATH}/libgit2/lib/pkgconfig:${PKG_CONFIG_PATH}" 173 | export LIBGIT_PCFILE="${RELEASE_PATH}/libgit2/lib/pkgconfig/libgit2.pc" 174 | LIBGIT_LDFLAGS=$(pkg-config --static --libs-only-L "$LIBGIT_PCFILE") || exit 1 175 | LIBGIT_LIBS=$(pkg-config --static --libs-only-l --libs-only-other "$LIBGIT_PCFILE") || exit 1 176 | export CGO_ENABLED=1 177 | export CGO_LDFLAGS="$LDFLAGS $LIBS $LIBGIT_LDFLAGS $LIBGIT_LIBS" 178 | export CGO_CFLAGS="$CFLAGS" 179 | export BINARY="$BIN_RELEASE_PATH/git-seekret-$SUFFIX" 180 | go build -tags static -ldflags "-linkmode external -extldflags '${CGO_LDFLAGS}'" -o "$BINARY" 181 | echo 182 | echo "Build complete. Release binary: $BINARY" 183 | echo 184 | } 185 | 186 | function test_git_seekrets() { 187 | echo 188 | if [ -z "$CROSS_DIR" ]; then 189 | echo "Trying to run git-seekret.." 190 | "$BINARY" || exit 1 191 | echo 192 | else 193 | echo "Compiled binary type:" 194 | file "$BINARY" || exit 1 195 | fi 196 | echo "Running tests.." 197 | go test -tags static "$(glide nv)" 198 | echo 199 | echo "..All Done" 200 | } 201 | 202 | rm -rf "$RELEASE_PATH" "$BIN_RELEASE_PATH" 203 | mkdir -p "$RELEASE_PATH" 204 | mkdir -p "$BIN_RELEASE_PATH" 205 | 206 | compile_git_seekrets 207 | test_git_seekrets 208 | -------------------------------------------------------------------------------- /check.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "github.com/18F/seekret/sources/git" 6 | "runtime" 7 | ) 8 | 9 | func (gs *gitSeekret) RunCheck(options map[string]interface{}) (int, error) { 10 | 11 | err := gs.seekret.LoadObjects(sourcegit.SourceTypeGit, gs.repo, options) 12 | if err != nil { 13 | return 0, err 14 | } 15 | 16 | gs.seekret.Inspect(runtime.NumCPU()) 17 | 18 | listSecrets := gs.seekret.ListSecrets() 19 | fmt.Printf("Found Secrets: %d\n", len(listSecrets)) 20 | for _, s := range listSecrets { 21 | fmt.Printf("\t%s:%d\n", s.Object.Name, s.Nline) 22 | fmt.Printf("\t\t- Metadata:\n") 23 | for k, v := range s.Object.Metadata { 24 | fmt.Printf("\t\t %s: %s\n", k, v) 25 | } 26 | fmt.Printf("\t\t- Rule:\n\t\t %s\n", s.Rule.Name) 27 | 28 | fmt.Printf("\t\t- Content:\n\t\t %s\n", s.Line) 29 | } 30 | 31 | return len(listSecrets), nil 32 | 33 | } 34 | -------------------------------------------------------------------------------- /config.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "errors" 5 | "fmt" 6 | "github.com/18F/seekret" 7 | "github.com/18F/seekret/models" 8 | "github.com/libgit2/git2go" 9 | "os" 10 | "path/filepath" 11 | "strings" 12 | ) 13 | 14 | type gitSeekretConfig struct { 15 | version int32 16 | rulespath string 17 | rulesenabled string 18 | exceptionsfile string 19 | } 20 | 21 | func (gs *gitSeekret) InitConfig() error { 22 | gitConfig, err := openGitConfig(gs.configLevel, gs.repo) 23 | if err != nil { 24 | return err 25 | } 26 | defer gitConfig.Free() 27 | 28 | gs.config = &gitSeekretConfig{ 29 | version: 1, 30 | rulespath: seekret.DefaultRulesPath(), 31 | rulesenabled: "", 32 | exceptionsfile: "", 33 | } 34 | 35 | err = gs.CheckConfig() 36 | if err != nil { 37 | return err 38 | } 39 | 40 | err = gs.RunConfig() 41 | if err != nil { 42 | return err 43 | } 44 | 45 | return nil 46 | } 47 | 48 | func (gs *gitSeekret) CheckConfig() error { 49 | if gs.config == nil { 50 | return errors.New("Undefined config file.") 51 | } 52 | _, err := os.Stat(gs.config.rulespath) 53 | if err != nil { 54 | // If we are using the default rules path, let the user know that there is a SEEKRET_RULES_PATH env var. 55 | // We don't want to tell the user to use the default path and to instead override it with the 56 | // SEEKRET_RULES_PATH env var. 57 | if gs.config.rulespath == seekret.DefaultRulesPath() || os.Getenv("SEEKRET_RULES_PATH") == "" { 58 | return fmt.Errorf("Unable to use default rulespath \"%s\".\nSystem Error: %s\n\nHOW TO FIX:\n"+ 59 | "Create your own rules folder and set the path of the folder to"+ 60 | "\"SEEKRET_RULES_PATH\" in your environment to override the default rules path.\n"+ 61 | "Example command to create folder:\n$ mkdir -p $HOME/.seekret_rules && "+ 62 | "export $SEEKRET_RULES_PATH=$HOME/.seekret_rules\n"+ 63 | "Reinitialize your config afterwards.\n", gs.config.rulespath, err.Error()) 64 | } else { 65 | // If something goes really wrong, just return a generic error. 66 | return fmt.Errorf("Unable to use rulespath \"%s\". Ensure it exists and you"+ 67 | "have permission to read from it. Reinitialize your config afterwards.\n"+ 68 | "System Error: %s\n", gs.config.rulespath, err.Error()) 69 | } 70 | } 71 | return nil 72 | } 73 | 74 | func (gs *gitSeekret) LoadConfig(run bool) error { 75 | gitConfig, err := openGitConfig(gs.configLevel, gs.repo) 76 | if err != nil { 77 | return err 78 | } 79 | defer gitConfig.Free() 80 | 81 | version, err := gitConfig.LookupInt32("gitseekret.version") 82 | if err != nil { 83 | return err 84 | } 85 | 86 | rulespath, err := gitConfig.LookupString("gitseekret.rulespath") 87 | if err != nil { 88 | return err 89 | } 90 | 91 | rulesenabled, err := gitConfig.LookupString("gitseekret.rulesenabled") 92 | if err != nil { 93 | return err 94 | } 95 | 96 | exceptionsfile, err := gitConfig.LookupString("gitseekret.exceptionsfile") 97 | if err != nil { 98 | return err 99 | } 100 | 101 | gs.config = &gitSeekretConfig{ 102 | version: version, 103 | rulespath: rulespath, 104 | rulesenabled: rulesenabled, 105 | exceptionsfile: exceptionsfile, 106 | } 107 | 108 | if run { 109 | err = gs.CheckConfig() 110 | if err != nil { 111 | return err 112 | } 113 | err = gs.RunConfig() 114 | if err != nil { 115 | return err 116 | } 117 | } 118 | 119 | return nil 120 | } 121 | 122 | func (gs *gitSeekret) SaveConfig() error { 123 | gitConfig, err := openGitConfig(gs.configLevel, gs.repo) 124 | if err != nil { 125 | return err 126 | } 127 | defer gitConfig.Free() 128 | 129 | err = gitConfig.SetInt32("gitseekret.version", gs.config.version) 130 | if err != nil { 131 | return err 132 | } 133 | 134 | err = gitConfig.SetString("gitseekret.rulespath", gs.config.rulespath) 135 | if err != nil { 136 | return err 137 | } 138 | 139 | err = gitConfig.SetString("gitseekret.rulesenabled", buildRulesEnabledString(gs.seekret.ListRules())) 140 | if err != nil { 141 | return err 142 | } 143 | 144 | err = gitConfig.SetString("gitseekret.exceptionsfile", gs.config.exceptionsfile) 145 | if err != nil { 146 | return err 147 | } 148 | 149 | return nil 150 | } 151 | 152 | func (gs *gitSeekret) RunConfig() error { 153 | // TODO: Relative path from repo root. 154 | err := gs.seekret.LoadRulesFromPath(gs.config.rulespath, false) 155 | if err != nil { 156 | return err 157 | } 158 | 159 | for _, rule := range strings.Split(gs.config.rulesenabled, ",") { 160 | gs.seekret.EnableRule(rule) 161 | } 162 | 163 | // TODO: Relative path from repo root. 164 | if gs.config.exceptionsfile != "" { 165 | err := gs.seekret.LoadExceptionsFromFile(gs.config.exceptionsfile) 166 | if err != nil { 167 | return err 168 | } 169 | } 170 | 171 | return nil 172 | } 173 | 174 | func openGitConfig(configLevel git.ConfigLevel, repo string) (*git.Config, error) { 175 | var gitConfig *git.Config 176 | var err error 177 | 178 | if configLevel == git.ConfigLevelLocal { 179 | r, err := git.OpenRepositoryExtended(repo, git.RepositoryOpenCrossFs, "") 180 | if err != nil { 181 | return nil, err 182 | } 183 | 184 | gitConfig, err = r.Config() 185 | if err != nil { 186 | return nil, err 187 | } 188 | } else { 189 | var configFile string 190 | switch configLevel { 191 | case git.ConfigLevelSystem: 192 | configFile, err = git.ConfigFindSystem() 193 | case git.ConfigLevelGlobal: 194 | configFile, err = git.ConfigFindGlobal() 195 | case git.ConfigLevelXDG: 196 | configFile, err = git.ConfigFindXDG() 197 | } 198 | if err != nil { 199 | return nil, err 200 | } 201 | configFile, err = filepath.EvalSymlinks(configFile) 202 | if err != nil { 203 | return nil, err 204 | } 205 | configFile, err = filepath.Abs(configFile) 206 | if err != nil { 207 | return nil, err 208 | } 209 | gitConfig, err = git.OpenOndisk(nil, configFile) 210 | if err != nil { 211 | return nil, err 212 | } 213 | } 214 | 215 | return gitConfig, nil 216 | } 217 | 218 | func buildRulesEnabledString(listRules []models.Rule) string { 219 | rulesenabled := make([]string, 0, len(listRules)) 220 | for _, rule := range listRules { 221 | if rule.Enabled { 222 | rulesenabled = append(rulesenabled, rule.Name) 223 | } 224 | } 225 | return strings.Join(rulesenabled, ",") 226 | } 227 | -------------------------------------------------------------------------------- /gitseekret.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/18F/seekret" 5 | "github.com/libgit2/git2go" 6 | ) 7 | 8 | const gitSeekretConfigVersion = 1 9 | 10 | type gitSeekret struct { 11 | repo string 12 | configLevel git.ConfigLevel 13 | seekret *seekret.Seekret 14 | config *gitSeekretConfig 15 | } 16 | 17 | func NewGitSeekret(repo string, configLevel git.ConfigLevel) (*gitSeekret, error) { 18 | var err error 19 | 20 | repo, err = repoBasePath(repo) 21 | if err != nil { 22 | return nil, err 23 | } 24 | 25 | gs := &gitSeekret{ 26 | repo: repo, 27 | configLevel: configLevel, 28 | seekret: seekret.NewSeekret(), 29 | } 30 | 31 | return gs, nil 32 | } 33 | 34 | func (gs *gitSeekret) EnableRule(name string) int { 35 | return gs.seekret.EnableRuleByRegexp(name) 36 | } 37 | 38 | func (gs *gitSeekret) DisableRule(name string) int { 39 | return gs.seekret.DisableRuleByRegexp(name) 40 | } 41 | 42 | func repoBasePath(repo string) (string, error) { 43 | r, err := git.OpenRepositoryExtended(repo, git.RepositoryOpenCrossFs, "") 44 | if err != nil { 45 | return "", err 46 | } 47 | 48 | path := r.Path() 49 | 50 | r.Free() 51 | 52 | return path, nil 53 | } 54 | -------------------------------------------------------------------------------- /glide.lock: -------------------------------------------------------------------------------- 1 | hash: a83e554c731d44030019154c57b1f28082b195d5024cd9ce54990e01e20ee106 2 | updated: 2017-04-22T14:57:50.71592618-04:00 3 | imports: 4 | - name: github.com/18F/seekret 5 | version: 27bffd7845abab1dbdd480b0ef844ce9b1c1a7b1 6 | subpackages: 7 | - models 8 | - sources/git 9 | - name: github.com/codahale/blake2 10 | version: 8d10d0420cbfbdc9c1164c0c4ad3457a6c3771b9 11 | - name: github.com/emptyinterface/sshconfig 12 | version: 9c4bfc0173e290759f33f37c0dcdb9af924be939 13 | - name: github.com/libgit2/git2go 14 | version: 7cd5a4e731e982391b9274e17c7f32050d8e5b15 15 | - name: github.com/urfave/cli 16 | version: 8ba6f23b6e36d03666a14bd9421f5e3efcb59aca 17 | - name: gopkg.in/yaml.v2 18 | version: cd8b52f8269e0feb286dfeef29f8fe4d5b397e0b 19 | testImports: [] 20 | -------------------------------------------------------------------------------- /glide.yaml: -------------------------------------------------------------------------------- 1 | package: github.com/18F/git-seekret 2 | import: 3 | - package: github.com/18F/seekret 4 | subpackages: 5 | - models 6 | - sources/git 7 | - package: github.com/libgit2/git2go 8 | - package: github.com/urfave/cli 9 | -------------------------------------------------------------------------------- /hook_pre-commit.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/urfave/cli" 5 | ) 6 | 7 | func HookPreCommitEnable(args []string) (string, error) { 8 | return "git seekret hook --run pre-commit\n", nil 9 | } 10 | 11 | func HookPreCommitDisable(args []string) error { 12 | return nil 13 | } 14 | 15 | func HookPreCommitRun(args []string) error { 16 | options := map[string]interface{}{ 17 | "commit-files": false, 18 | "staged-files": true, 19 | } 20 | 21 | secrets, err := gs.RunCheck(options) 22 | if err != nil { 23 | return err 24 | } 25 | if secrets != 0 { 26 | return cli.NewExitError("commit cannot proceed", 1) 27 | } 28 | 29 | return nil 30 | } 31 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/libgit2/git2go" 5 | "github.com/urfave/cli" 6 | "log" 7 | "os" 8 | "path/filepath" 9 | ) 10 | 11 | var gs *gitSeekret 12 | 13 | func main() { 14 | app := cli.NewApp() 15 | 16 | app.Name = "git-seekret" 17 | app.Version = "0.0.2" 18 | app.Usage = "prevent from committing sensitive information into git repository" 19 | 20 | app.Author = "Albert Puigsech Galicia" 21 | app.Email = "albert@puigsech.com" 22 | 23 | app.EnableBashCompletion = false 24 | 25 | app.Flags = []cli.Flag{ 26 | cli.BoolFlag{ 27 | Name: "global", 28 | }, 29 | } 30 | app.Commands = []cli.Command{ 31 | { 32 | Name: "config", 33 | Usage: "manage configuration seetings", 34 | Action: GitSeekretConfig, 35 | Flags: []cli.Flag{ 36 | cli.BoolFlag{ 37 | Name: "init", 38 | Usage: "initialize configuration with default values", 39 | }, 40 | cli.StringFlag{ 41 | Name: "set, s", 42 | Usage: "set value for specific setting", 43 | Value: "", 44 | }, 45 | }, 46 | }, 47 | { 48 | Name: "rules", 49 | Usage: "manage rules", 50 | Action: GitSeekretRules, 51 | Flags: []cli.Flag{ 52 | cli.StringFlag{ 53 | Name: "enable, e", 54 | Usage: "enable rules", 55 | Value: "", 56 | }, 57 | cli.StringFlag{ 58 | Name: "disable, d", 59 | Usage: "disable rule", 60 | Value: "", 61 | }, 62 | cli.BoolFlag{ 63 | Name: "enable-all", 64 | Usage: "enable all rules", 65 | }, 66 | cli.BoolFlag{ 67 | Name: "disable-all", 68 | Usage: "disable all rules", 69 | }, 70 | }, 71 | }, 72 | { 73 | Name: "check", 74 | Usage: "inspect git repository", 75 | Action: GitSeekretCheck, 76 | Flags: []cli.Flag{ 77 | cli.IntFlag{ 78 | Name: "commit, c", 79 | Usage: "include commited files. Argument is the number of commits to inspect (0 = all)", 80 | Value: 0, 81 | }, 82 | cli.BoolFlag{ 83 | Name: "staged, s", 84 | Usage: "include staged files", 85 | }, 86 | }, 87 | }, 88 | { 89 | Name: "hook", 90 | Usage: "manage git hooks", 91 | Action: GitSeekretHook, 92 | Flags: []cli.Flag{ 93 | cli.StringFlag{ 94 | Name: "run, r", 95 | Usage: "TBD", 96 | Value: "", 97 | }, 98 | cli.StringFlag{ 99 | Name: "enable, e", 100 | Usage: "TBD", 101 | Value: "", 102 | }, 103 | cli.StringFlag{ 104 | Name: "disable, d", 105 | Usage: "TBD", 106 | Value: "", 107 | }, 108 | cli.BoolFlag{ 109 | Name: "enable-all", 110 | Usage: "TBD", 111 | }, 112 | cli.BoolFlag{ 113 | Name: "disable-all", 114 | Usage: "TBD", 115 | }, 116 | }, 117 | }, 118 | } 119 | 120 | app.Before = gitSeekretBefore 121 | app.After = gitSeekretAfter 122 | 123 | app.Run(os.Args) 124 | } 125 | 126 | func gitSeekretBefore(c *cli.Context) error { 127 | var configLevel git.ConfigLevel 128 | var err error 129 | var repoPath string 130 | 131 | if c.Bool("global") { 132 | configLevel = git.ConfigLevelGlobal 133 | } else { 134 | configLevel = git.ConfigLevelLocal 135 | } 136 | 137 | repoPath, err = filepath.Abs(".") 138 | if err != nil { 139 | log.Panic(err) 140 | } 141 | 142 | gs, err = NewGitSeekret(repoPath, configLevel) 143 | if err != nil { 144 | log.Panic(err) 145 | } 146 | 147 | return nil 148 | } 149 | 150 | func gitSeekretAfter(c *cli.Context) error { 151 | return nil 152 | } 153 | -------------------------------------------------------------------------------- /main_check.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "github.com/libgit2/git2go" 6 | "github.com/urfave/cli" 7 | ) 8 | 9 | func GitSeekretCheck(c *cli.Context) error { 10 | err := gs.LoadConfig(true) 11 | if git.IsErrorClass(err, git.ErrClassConfig) { 12 | return fmt.Errorf("Config not initialised - Try: 'git-seekret config --init'") 13 | } 14 | if err != nil { 15 | return err 16 | } 17 | 18 | options := map[string]interface{}{ 19 | "commit-files": false, 20 | "staged-files": false, 21 | } 22 | 23 | if c.IsSet("commit") { 24 | options["commit-files"] = true 25 | options["commit-messages"] = true 26 | options["commit-count"] = c.Int("commit") 27 | } 28 | 29 | if c.IsSet("staged") { 30 | options["staged-files"] = true 31 | } 32 | 33 | secrets, err := gs.RunCheck(options) 34 | if err != nil { 35 | return err 36 | } 37 | if secrets != 0 { 38 | return fmt.Errorf("Please remove discovered secrets") 39 | } 40 | 41 | return nil 42 | } 43 | -------------------------------------------------------------------------------- /main_config.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "github.com/libgit2/git2go" 6 | "github.com/urfave/cli" 7 | "strings" 8 | ) 9 | 10 | func GitSeekretConfig(c *cli.Context) error { 11 | if c.Bool("init") { 12 | err := gs.InitConfig() 13 | if err != nil { 14 | return err 15 | } 16 | } else { 17 | err := gs.LoadConfig(true) 18 | if git.IsErrorClass(err, git.ErrClassConfig) { 19 | return fmt.Errorf("Config not initialised - Try: 'git-seekret config --init'") 20 | } 21 | if err != nil { 22 | return err 23 | } 24 | } 25 | 26 | set := c.String("set") 27 | 28 | if set != "" { 29 | a := strings.SplitN(set, "=", 2) 30 | key := a[0] 31 | value := "" 32 | if len(a) == 2 { 33 | value = a[1] 34 | fmt.Println("Value:", value) 35 | } 36 | 37 | err := setConfig(gs.config, key, value) 38 | if err != nil { 39 | return err 40 | } 41 | } 42 | 43 | gs.SaveConfig() 44 | 45 | showConfig(gs.config) 46 | 47 | return nil 48 | } 49 | 50 | func setConfig(config *gitSeekretConfig, key string, value interface{}) error { 51 | switch key { 52 | case "version": 53 | return fmt.Errorf("not suported") 54 | case "rulespath": 55 | rulespath, ok := value.(string) 56 | if !ok { 57 | return fmt.Errorf("invalid format") 58 | } 59 | config.rulespath = rulespath 60 | case "rulesenabled": 61 | return fmt.Errorf("not suported - change enabled rules using 'git-seekret rules'") 62 | case "exceptionsfile": 63 | exceptionsfile, ok := value.(string) 64 | if !ok { 65 | return fmt.Errorf("invalid format") 66 | } 67 | config.exceptionsfile = exceptionsfile 68 | } 69 | return nil 70 | } 71 | 72 | func showConfig(config *gitSeekretConfig) { 73 | fmt.Printf("Config:\n") 74 | fmt.Printf("\tversion = %d\n", config.version) 75 | fmt.Printf("\trulespath = %s\n", config.rulespath) 76 | fmt.Printf("\trulesenabled = %s\n", config.rulesenabled) 77 | fmt.Printf("\texceptionsfile = %s\n", config.exceptionsfile) 78 | } 79 | -------------------------------------------------------------------------------- /main_hook.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "github.com/libgit2/git2go" 6 | "github.com/urfave/cli" 7 | "os" 8 | ) 9 | 10 | type GitSeekretHookHandler struct { 11 | Enable func(args []string) (string, error) 12 | Disable func(args []string) error 13 | Run func(args []string) error 14 | } 15 | 16 | var listGitSeekretHookHandler map[string]GitSeekretHookHandler = map[string]GitSeekretHookHandler{ 17 | "pre-commit": GitSeekretHookHandler{ 18 | Enable: HookPreCommitEnable, 19 | Disable: HookPreCommitDisable, 20 | Run: HookPreCommitRun, 21 | }, 22 | } 23 | 24 | func GitSeekretHook(c *cli.Context) error { 25 | err := gs.LoadConfig(true) 26 | if git.IsErrorClass(err, git.ErrClassConfig) { 27 | return fmt.Errorf("Config not initialised - Try: 'git-seekret config --init'") 28 | } 29 | if err != nil { 30 | return err 31 | } 32 | 33 | enable := c.String("enable") 34 | disable := c.String("disable") 35 | 36 | if enable != "" { 37 | err := GitSeekretHookEnable(enable) 38 | if err != nil { 39 | return err 40 | } 41 | } 42 | 43 | if disable != "" { 44 | err := GitSeekretHookDisable(disable) 45 | if err != nil { 46 | return err 47 | } 48 | } 49 | 50 | if c.Bool("enable-all") { 51 | for name, _ := range listGitSeekretHookHandler { 52 | err := GitSeekretHookEnable(name) 53 | if err != nil { 54 | return err 55 | } 56 | } 57 | } 58 | 59 | if c.Bool("disable-all") { 60 | for name, _ := range listGitSeekretHookHandler { 61 | err := GitSeekretHookDisable(name) 62 | if err != nil { 63 | return err 64 | } 65 | } 66 | } 67 | 68 | run := c.String("run") 69 | 70 | if run != "" { 71 | handler, ok := listGitSeekretHookHandler[run] 72 | if ok && handler.Run != nil { 73 | err := handler.Run(nil) 74 | if err != nil { 75 | return err 76 | } 77 | } 78 | } 79 | 80 | return nil 81 | } 82 | 83 | func GitSeekretHookEnable(name string) error { 84 | var script string 85 | var err error 86 | 87 | handler, ok := listGitSeekretHookHandler[name] 88 | if ok && handler.Enable != nil { 89 | script, err = handler.Enable(nil) 90 | if err != nil { 91 | return err 92 | } 93 | } 94 | 95 | _ = script 96 | 97 | hookfile, err := getHookFile(name) 98 | if err != nil { 99 | return err 100 | } 101 | 102 | if _, err := os.Stat(hookfile); err == nil { 103 | hookfile_old := fmt.Sprintf("%s/hooks/%s.old", gs.repo, name) 104 | err = os.Rename(hookfile, hookfile_old) 105 | if err != nil { 106 | return err 107 | } 108 | } 109 | 110 | fh, err := os.Create(hookfile) 111 | if err != nil { 112 | return err 113 | } 114 | defer fh.Close() 115 | 116 | fh.WriteString("#!/usr/bin/env bash\n") 117 | fh.WriteString("PATH=$PATH:/usr/local/bin:/usr/local/sbin\n\n") 118 | fh.WriteString(script) 119 | fh.Close() 120 | 121 | err = os.Chmod(hookfile, 0755) 122 | if err != nil { 123 | return err 124 | } 125 | 126 | return nil 127 | } 128 | 129 | func GitSeekretHookDisable(name string) error { 130 | handler, ok := listGitSeekretHookHandler[name] 131 | if ok && handler.Disable != nil { 132 | err := handler.Disable(nil) 133 | if err != nil { 134 | return err 135 | } 136 | } 137 | 138 | hookfile, err := getHookFile(name) 139 | if err != nil { 140 | return err 141 | } 142 | 143 | err = os.Remove(hookfile) 144 | if err != nil { 145 | return err 146 | } 147 | 148 | return nil 149 | } 150 | 151 | func getHookFile(name string) (string, error) { 152 | hookfile := fmt.Sprintf("%s/hooks/%s", gs.repo, name) 153 | if gs.configLevel == git.ConfigLevelGlobal { 154 | gitConfig, err := openGitConfig(gs.configLevel, gs.repo) 155 | if err != nil { 156 | return hookfile, err 157 | } 158 | defer gitConfig.Free() 159 | 160 | hookspath, err := gitConfig.LookupString("core.hooksPath") 161 | if err != nil { 162 | return hookfile, err 163 | } 164 | hookfile = fmt.Sprintf("%s/%s", hookspath, name) 165 | } 166 | return hookfile, nil 167 | } 168 | -------------------------------------------------------------------------------- /main_rules.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "github.com/libgit2/git2go" 6 | "github.com/urfave/cli" 7 | ) 8 | 9 | func GitSeekretRules(c *cli.Context) error { 10 | err := gs.LoadConfig(true) 11 | if git.IsErrorClass(err, git.ErrClassConfig) { 12 | return fmt.Errorf("Config not initialised - Try: 'git-seekret config --init'") 13 | } 14 | if err != nil { 15 | return err 16 | } 17 | 18 | enable := c.String("enable") 19 | disable := c.String("disable") 20 | 21 | enableAll := c.Bool("enable-all") 22 | disableAll := c.Bool("disable-all") 23 | 24 | if enableAll { 25 | fmt.Println("Enabling all rules.") 26 | gs.EnableRule(".*") 27 | } else if disableAll { 28 | fmt.Println("Disabling all rules.") 29 | gs.DisableRule(".*") 30 | } 31 | 32 | // "all" represents that either enableAll or disableAll was triggered. 33 | all := (enableAll || disableAll) 34 | 35 | // If neither enableAll nor disableAll were used, let's look into doing 36 | // individual enable and/or disable operations. 37 | // Useful because in a single command you can specify both an --enable flag 38 | // and a --disable flag but only want to do it if neither enable-all or disable-all were used. 39 | if !all && enable != "" { 40 | gs.EnableRule(enable) 41 | } 42 | 43 | if !all && disable != "" { 44 | gs.DisableRule(disable) 45 | } 46 | 47 | fmt.Println("List of rules:") 48 | for _, r := range gs.seekret.ListRules() { 49 | status := " " 50 | if r.Enabled { 51 | status = "x" 52 | } 53 | fmt.Printf("\t[%s] %s\n", status, r.Name) 54 | } 55 | 56 | gs.SaveConfig() 57 | 58 | return nil 59 | } 60 | --------------------------------------------------------------------------------