Skip to content

Latest commit

 

History

History
61 lines (37 loc) · 2.47 KB

README-windows-workstation.md

File metadata and controls

61 lines (37 loc) · 2.47 KB
Raw

Setup (Windows only)

Prerequisites

Ensure you have permissions to exceute powershell scripts. If this is not possible, then you may be able to use WSL instead and setup git-secrets following the guide for linux.

Setup

Make sure to copy the nhd-git-secrets folder into the root of the project repository, and then navigate the terminal (powershell) to the repo root

  • cd .\nhsd-git-secrets\
  • cp .\gitallowed-base ../.gitallowed
  • .\install-windows.ps1

Next time you do a commit the git secrets hook should be invoked.

Troubleshooting

You should have 3 new files in the .git/hooks folder in the repository. If these are not present, then make sure you have ran the install script.

Custom configuration (per repo / per service team)

  • Add individual regex expressions to the existing repo_root/nhsd-git-secrets-nhsd-rules-deny.txt file
  • Or, create your own file for regex rules and add it as a provider within the pre-commit script e.g.:

./nhsd-git-secrets/git-secrets --add-provider -- cat nhsd-git-secrets/nhsd-rules-deny.txt

  • Add file/dir excludes within the repo_root/.gitallowed, e.g. .*terraform.tfstate.*:*

  • Control full scan vs staged files scan within pre-commit script by commenting/uncommenting the mode to run e.g.:

# Just scan the files changed in this commit
# ./nhsd-git-secrets/git-secrets --pre_commit_hook

# Scan all files within this repo for this commit
./nhsd-git-secrets/git-secrets --scan

Testing and Usage

To test that the hooks have been enabled correctly:

  • make sure you have done git add if you have changed anything within git-Secrets
  • create a file containing one or more patterns from the git-secrets/nhsd-rules-deny.txt file (e.g.: password = “test”)
  • stage and commit the file

You should see an output similar to: “[ERROR] Matched one or more prohibited patterns…”.

Note This message may appear differently depending on the tools used.

If you have a false-positive match, and your changes do not contain sensitive credentials then you can add the --no-verify flag to the commit command to skip the checking.

Docker version

Alternatively, you might find this dockerfile convenient, which:

  1. Copies your source code into a docker image
  2. Downloads latest version of the secret scanner tool
  3. Downloads latest regex patterns from software-engineering-quality-framework
  4. Runs a scan