From f32da006484947b57fc90c0092bbc31b2dec8b29 Mon Sep 17 00:00:00 2001 From: Paul Balaji <10051819+paulbalaji@users.noreply.github.com> Date: Mon, 10 Feb 2025 21:43:20 +0000 Subject: [PATCH] feat: use gitleaks in pre-commit hook (#5419) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ### Description Add [gitleaks](https://github.com/gitleaks/gitleaks) to pre-commit hook with custom patterns for known RPC providers. Note, this will require every contributor to have `gitleaks` installed on their machine akin to `yq` or `jq`. ### Drive-by changes ### Related issues ### Backward compatibility ### Testing example of success: ``` git commit -m "feat: use gitleaks in pre-commit" 🔍 Checking for potential secrets in staged files... ○ │╲ │ ○ ○ ░ ░ gitleaks 2:47PM INF 1 commits scanned. 2:47PM INF scanned ~2224 bytes (2.22 KB) in 9.89ms 2:47PM INF no leaks found ✅ No secrets detected gs→ No staged files match any configured task. 📝 If you haven't yet, please add a changeset for your changes via 'yarn changeset' [pb/gitleaks 1b06f7376] feat: use gitleaks in pre-commit 2 files changed, 98 insertions(+) create mode 100644 .gitleaks.toml ``` example of failure if we're leaking secrets: ``` git commit -m "x" 🔍 Checking for potential secrets in staged files... ○ │╲ │ ○ ○ ░ ░ gitleaks Finding: REDACTED Secret: REDACTED RuleID: alchemy-api-key Entropy: 5.141622 Tags: [key Alchemy] File: README.md Line: 13 Fingerprint: README.md:alchemy-api-key:13 Finding: REDACTED Secret: REDACTED RuleID: alchemy-api-key Entropy: 4.987016 Tags: [key Alchemy] File: README.md Line: 28 Fingerprint: README.md:alchemy-api-key:28 Finding: REDACTED Secret: REDACTED RuleID: ankr-api-key Entropy: 4.620332 Tags: [key Ankr] File: README.md Line: 14 Fingerprint: README.md:ankr-api-key:14 Finding: REDACTED Secret: REDACTED RuleID: ankr-api-key Entropy: 4.660415 Tags: [key Ankr] File: README.md Line: 24 Fingerprint: README.md:ankr-api-key:24 Finding: REDACTED Secret: REDACTED RuleID: tenderly-api-key Entropy: 4.877531 Tags: [key Tenderly] File: README.md Line: 15 Fingerprint: README.md:tenderly-api-key:15 Finding: REDACTED Secret: REDACTED RuleID: tenderly-api-key Entropy: 4.848919 Tags: [key Tenderly] File: README.md Line: 29 Fingerprint: README.md:tenderly-api-key:29 Finding: REDACTED Secret: REDACTED RuleID: quicknode-api-key Entropy: 4.936234 Tags: [key QuickNode] File: README.md Line: 16 Fingerprint: README.md:quicknode-api-key:16 Finding: REDACTED Secret: REDACTED RuleID: quicknode-api-key Entropy: 4.914179 Tags: [key QuickNode] File: README.md Line: 27 Fingerprint: README.md:quicknode-api-key:27 Finding: REDACTED Secret: REDACTED RuleID: drpc-api-key Entropy: 5.226190 Tags: [key DRPC] File: README.md Line: 17 Fingerprint: README.md:drpc-api-key:17 Finding: REDACTED Secret: REDACTED RuleID: drpc-api-key Entropy: 5.264358 Tags: [key DRPC] File: README.md Line: 26 Fingerprint: README.md:drpc-api-key:26 Finding: REDACTED Secret: REDACTED RuleID: dwellir-api-key Entropy: 4.688474 Tags: [key Dwellir] File: README.md Line: 18 Fingerprint: README.md:dwellir-api-key:18 Finding: REDACTED Secret: REDACTED RuleID: dwellir-api-key Entropy: 4.682899 Tags: [key Dwellir] File: README.md Line: 22 Fingerprint: README.md:dwellir-api-key:22 Finding: REDACTED Secret: REDACTED RuleID: startale-api-key Entropy: 4.937024 Tags: [key Startale] File: README.md Line: 19 Fingerprint: README.md:startale-api-key:19 Finding: REDACTED Secret: REDACTED RuleID: startale-api-key Entropy: 5.050642 Tags: [key Startale] File: README.md Line: 23 Fingerprint: README.md:startale-api-key:23 Finding: REDACTED Secret: REDACTED RuleID: grove-city-api-key Entropy: 4.653059 Tags: [key Grove City] File: README.md Line: 20 Fingerprint: README.md:grove-city-api-key:20 Finding: REDACTED Secret: REDACTED RuleID: grove-city-api-key Entropy: 4.612185 Tags: [key Grove City] File: README.md Line: 25 Fingerprint: README.md:grove-city-api-key:25 2:46PM INF 1 commits scanned. 2:46PM INF scanned ~1322 bytes (1.32 KB) in 11ms 2:46PM WRN leaks found: 16 ❌ Potential secrets detected in your changes! Please remove any secrets, credentials, or sensitive information before committing. husky - pre-commit hook exited with code 1 (error) ``` --- .gitleaks.toml | 88 +++++++++++++++++++++++++++++++++++++++++++++++ .husky/pre-commit | 10 ++++++ README.md | 4 +++ 3 files changed, 102 insertions(+) create mode 100644 .gitleaks.toml diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 0000000000..e065f2ee1b --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,88 @@ +# Global allowlist +[allowlist] +paths = [ + '''node_modules''', + '''.git''' +] + +# Custom rules +[[rules]] +id = "alchemy-api-key" +description = "Alchemy API Key" +regex = '''https://[a-zA-Z0-9-]+\.g\.alchemy\.com/v2/[a-zA-Z0-9_-]+''' +keywords = [ + "alchemy", + "alchemy.com" +] +tags = ["key", "Alchemy"] + +[[rules]] +id = "ankr-api-key" +description = "Ankr API Key" +regex = '''https://rpc\.ankr\.com/[a-zA-Z0-9_-]+/[a-zA-Z0-9_-]+''' +keywords = [ + "ankr", + "rpc.ankr.com" +] +tags = ["key", "Ankr"] + + +[[rules]] +id = "tenderly-api-key" +description = "Tenderly API Key" +regex = '''https://[a-zA-Z0-9-]+\.gateway\.tenderly\.co/[a-zA-Z0-9_-]+''' +keywords = [ + "tenderly", + "gateway.tenderly.co" +] +tags = ["key", "Tenderly"] + +[[rules]] +id = "quicknode-api-key" +description = "QuickNode API Key" +regex = '''https://[a-zA-Z0-9-]+\.[a-zA-Z0-9-]+\.quiknode\.pro/[a-zA-Z0-9]+''' +keywords = [ + "quiknode", + "quiknode.pro" +] +tags = ["key", "QuickNode"] + +[[rules]] +id = "drpc-api-key" +description = "DRPC API Key" +regex = '''https://lb\.drpc\.org/[a-zA-Z0-9]+\?.*dkey=[a-zA-Z0-9]+''' +keywords = [ + "drpc", + "drpc.org" +] +tags = ["key", "DRPC"] + +[[rules]] +id = "dwellir-api-key" +description = "Dwellir API Key" +regex = '''https://api-.*\.dwellir\.com/[a-zA-Z0-9-]+''' +keywords = [ + "dwellir", + "dwellir.com" +] +tags = ["key", "Dwellir"] + +[[rules]] +id = "startale-api-key" +description = "Startale API Key" +regex = '''https://[a-zA-Z0-9.-]+\.startale\.com.*\?apikey=[a-zA-Z0-9]+''' +keywords = [ + "startale", + "startale.com" +] +tags = ["key", "Startale"] + +[[rules]] +id = "grove-city-api-key" +description = "Grove City API Key" +regex = '''https://[a-zA-Z0-9-]+\.rpc\.grove\.city/v1/[a-zA-Z0-9]+''' +keywords = [ + "grove", + "grove.city" +] +tags = ["key", "Grove City"] diff --git a/.husky/pre-commit b/.husky/pre-commit index 9edc7156ee..49f096ef27 100755 --- a/.husky/pre-commit +++ b/.husky/pre-commit @@ -1,6 +1,16 @@ #!/usr/bin/env sh . "$(dirname -- "$0")/_/husky.sh" +# Check for potential secrets in staged files +echo "🔍 Checking for potential secrets in staged files..." +if git diff --cached --name-only | xargs gitleaks protect --staged --verbose --redact --config .gitleaks.toml; then + echo "✅ No secrets detected" +else + echo "❌ Potential secrets detected in your changes!" + echo "Please remove any secrets, credentials, or sensitive information before committing." + exit 1 +fi + yarn lint-staged echo "📝 If you haven't yet, please add a changeset for your changes via 'yarn changeset'" diff --git a/README.md b/README.md index 481d0b9060..d2c8215e37 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,10 @@ To read more about interchain applications, how the protocol works, and how to i You need `jq` installed on your machine. You can download it from [official page](https://jqlang.github.io/jq/download/) or use a package manager of your choice. +#### Install `gitleaks` + +You need `gitleaks` installed on your machine. You can download it from [official page](https://github.com/gitleaks/gitleaks) or use a package manager of your choice. + #### Foundry First ensure you have Foundry installed on your machine.