Wave secrets protections on select files/scripts

The baseline gitleaks data is unfortunately commit-locked, meaning small changes to files due to (for example) rebases, can render them useless. Manually go through all findings and where possible mark lines to be ignored directly. In a few cases where secrets are used in tests, mark them to be ignored via a new `.gitleaksignore` file. This will hopefully cut way down on the number of false-positive alerts that require review. Note: I intentionally did not wave checks in the `.cirrus.yml` file as it's currently going through a large number of changes. I'll leave it up to a future followup commit to mark known/approved secret references in this file. [NO NEW TESTS NEEDED] Signed-off-by: Chris Evich <[email protected]>
cevich · Feb 8, 2024 · ae7a074 · ae7a074
1 parent f861623
commit ae7a074
Show file tree

Hide file tree

Showing 11 changed files with 100 additions and 78 deletions.
diff --git a/.github/actions/check_cirrus_cron/lib.sh b/.github/actions/check_cirrus_cron/lib.sh
@@ -63,17 +63,22 @@ gql() {
         msg "::error file=${BASH_SOURCE[1]},line=${BASH_LINENO[0]}::Invalid query JSON: $query"
         return 1
     fi
-    # SECRET_CIRRUS_API_KEY is defined github secret
+
+    local -a _curl_cmd
+    # ...API_KEY is pre-defined github secret
     # shellcheck disable=SC2154
-    if output=$(curl \
-              --request POST \
-              --silent \
-              --show-error \
-              --location \
-              --header 'content-type: application/json' \
-              --header "Authorization: Bearer $SECRET_CIRRUS_API_KEY" \
-              --url 'https://api.cirrus-ci.com/graphql' \
-              --data "$query") && [[ -n "$output" ]]; then
+    _curl_cmd=(
+        curl
+        --request POST
+        --silent
+        --show-error
+        --location
+        --header 'content-type: application/json'
+        --header "Authorization: Bearer $SECRET_CIRRUS_API_KEY" # gitleaks:allow
+        --url 'https://api.cirrus-ci.com/graphql'
+        --data "$query"
+    )
+    if output=$("${_curl_cmd[@]}") && [[ -n "$output" ]]; then
 
         if filtered=$(jq -e "$filter" <<<"$output") && [[ -n "$filtered" ]]; then
             msg "result:"

diff --git a/.github/actions/check_cirrus_cron/rerun_failed_tasks.sh b/.github/actions/check_cirrus_cron/rerun_failed_tasks.sh
@@ -9,7 +9,7 @@ set -eo pipefail
 # HOW TO TEST:  This script may be manually tested assuming you have
 # access to the github containers-org. Cirrus API key.  With that in-hand,
 # this script may be manually run by:
-# 1. export SECRET_CIRRUS_API_KEY=<value>
+# 1. export SECRET_CIRRUS_API_KEY=<value>  # gitleaks:allow
 # 2. Find an old podman build that failed on `main` or another **branch**.
 #    For example, from https://cirrus-ci.com/github/containers/podman/main
 #    (pick an old one from the bottom, since re-running it won't affect anybody)
@@ -27,8 +27,8 @@ source $(dirname "${BASH_SOURCE[0]}")/lib.sh
 _errfmt="Expecting %s value to not be empty"
 # ID_NAME_FILEPATH is defined by workflow YAML
 # shellcheck disable=SC2154
-if [[ -z "$SECRET_CIRRUS_API_KEY" ]]; then
-    err $(printf "$_errfmt" "\$SECRET_CIRRUS_API_KEY")
+if [[ -z "$SECRET_CIRRUS_API_KEY" ]]; then  # gitleaks:allow
+    err $(printf "$_errfmt" "\$SECRET_CIRRUS_API_KEY")  #gitleaks:allow
 elif [[ ! -r "$ID_NAME_FILEPATH" ]]; then  # output from cron_failures.sh
     err $(printf "Expecting %s value to be a readable file" "\$ID_NAME_FILEPATH")
 fi

diff --git a/.github/actions/check_cirrus_cron/test.sh b/.github/actions/check_cirrus_cron/test.sh
@@ -87,7 +87,7 @@ fi
 #####
 
 msg "$header rerun_failed_tasks.sh"
-export SECRET_CIRRUS_API_KEY=testing-nottherightkey
+export SECRET_CIRRUS_API_KEY="testing-nottherightkey"  # gitleaks:allow
 # test.sh is sensitive to the 'testing' name.  Var. defined by cirrus-ci
 # shellcheck disable=SC2154
 echo "$CIRRUS_BUILD_ID test cron job name" > "$ID_NAME_FILEPATH"

diff --git a/.github/workflows/check_cirrus_cron.yml b/.github/workflows/check_cirrus_cron.yml
@@ -18,15 +18,15 @@ on:
     # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows
     workflow_call:
       secrets:
-        SECRET_CIRRUS_API_KEY:
+        SECRET_CIRRUS_API_KEY:  # gitleaks:allow
           required : true
-        ACTION_MAIL_SERVER:
+        ACTION_MAIL_SERVER:     # gitleaks:allow
           required: true
-        ACTION_MAIL_USERNAME:
+        ACTION_MAIL_USERNAME:   # gitleaks:allow
           required: true
-        ACTION_MAIL_PASSWORD:
+        ACTION_MAIL_PASSWORD:   # gitleaks:allow
           required: true
-        ACTION_MAIL_SENDER:
+        ACTION_MAIL_SENDER:     # gitleaks:allow
           required: true
 
 env:
@@ -63,13 +63,13 @@ jobs:
               # Ref: https://github.com/dawidd6/action-send-mail
               uses: dawidd6/[email protected]
               with:
-                server_address: ${{secrets.ACTION_MAIL_SERVER}}
+                server_address: ${{secrets.ACTION_MAIL_SERVER}}  # gitleaks:allow
                 server_port: 465
-                username: ${{secrets.ACTION_MAIL_USERNAME}}
-                password: ${{secrets.ACTION_MAIL_PASSWORD}}
+                username: ${{secrets.ACTION_MAIL_USERNAME}}      # gitleaks:allow
+                password: ${{secrets.ACTION_MAIL_PASSWORD}}      # gitleaks:allow
                 subject: Cirrus-CI cron build failures on ${{github.repository}}
                 to: ${{env.RCPTCSV}}
-                from: ${{secrets.ACTION_MAIL_SENDER}}
+                from: ${{secrets.ACTION_MAIL_SENDER}}            # gitleaks:allow
                 body: file://./artifacts/email_body.txt
 
             - if: always()
@@ -82,11 +82,11 @@ jobs:
               name: Send error notification e-mail
               uses: dawidd6/[email protected]
               with:
-                server_address: ${{secrets.ACTION_MAIL_SERVER}}
+                server_address: ${{secrets.ACTION_MAIL_SERVER}}  # gitleaks:allow
                 server_port: 465
-                username: ${{secrets.ACTION_MAIL_USERNAME}}
-                password: ${{secrets.ACTION_MAIL_PASSWORD}}
+                username: ${{secrets.ACTION_MAIL_USERNAME}}      # gitleaks:allow
+                password: ${{secrets.ACTION_MAIL_PASSWORD}}      # gitleaks:allow
                 subject: Github workflow error on ${{github.repository}}
                 to: ${{env.RCPTCSV}}
-                from: ${{secrets.ACTION_MAIL_SENDER}}
+                from: ${{secrets.ACTION_MAIL_SENDER}}            # gitleaks:allow
                 body: "Job failed: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}"
diff --git a/.github/workflows/discussion_lock.yml b/.github/workflows/discussion_lock.yml
@@ -11,13 +11,13 @@ on:
   # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows
   workflow_call:
     secrets:
-      ACTION_MAIL_SERVER:
+      ACTION_MAIL_SERVER:   # gitleaks:allow
         required: true
-      ACTION_MAIL_USERNAME:
+      ACTION_MAIL_USERNAME: # gitleaks:allow
         required: true
-      ACTION_MAIL_PASSWORD:
+      ACTION_MAIL_PASSWORD: # gitleaks:allow
         required: true
-      ACTION_MAIL_SENDER:
+      ACTION_MAIL_SENDER:   # gitleaks:allow
         required: true
   # Debug: Allow triggering job manually in github-actions WebUI
   workflow_dispatch: {}
@@ -58,11 +58,11 @@ jobs:
         name: Send job failure notification e-mail
         uses: dawidd6/[email protected]
         with:
-          server_address: ${{secrets.ACTION_MAIL_SERVER}}
+          server_address: ${{secrets.ACTION_MAIL_SERVER}}  # gitleaks:allow
           server_port: 465
-          username: ${{secrets.ACTION_MAIL_USERNAME}}
-          password: ${{secrets.ACTION_MAIL_PASSWORD}}
+          username: ${{secrets.ACTION_MAIL_USERNAME}}      # gitleaks:allow
+          password: ${{secrets.ACTION_MAIL_PASSWORD}}      # gitleaks:allow
           subject: Github workflow error on ${{github.repository}}
           to: [email protected]
-          from: ${{secrets.ACTION_MAIL_SENDER}}
+          from: ${{secrets.ACTION_MAIL_SENDER}}            # gitleaks:allow
           body: "Job failed: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}"
diff --git a/.github/workflows/fcos-podman-next-build.yml b/.github/workflows/fcos-podman-next-build.yml
@@ -93,5 +93,5 @@ jobs:
         image: ${{ env.IMAGE_NAME }}
         tags: ${{ steps.build_image_multiarch.outputs.tags }}
         registry: ${{ env.IMAGE_REGISTRY }}
-        username: ${{ secrets.QUAY_PODMAN_USERNAME }}
-        password: ${{ secrets.QUAY_PODMAN_PASSWORD }}
+        username: ${{ secrets.QUAY_PODMAN_USERNAME }}  # gitleaks:allow
+        password: ${{ secrets.QUAY_PODMAN_PASSWORD }}  # gitleaks:allow
diff --git a/.github/workflows/mac-pkg.yml b/.github/workflows/mac-pkg.yml
@@ -24,15 +24,15 @@ jobs:
   build:
     runs-on: macos-latest
     env:
-      APPLICATION_CERTIFICATE: ${{ secrets.MACOS_APPLICATION_CERT }}
-      CODESIGN_IDENTITY: ${{ secrets.MACOS_APPLICATION_IDENTITY }}
-      INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERT }}
-      PRODUCTSIGN_IDENTITY: ${{ secrets.MACOS_INSTALLER_IDENTITY }}
-      CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+      APPLICATION_CERTIFICATE: ${{ secrets.MACOS_APPLICATION_CERT }}  # gitleaks:allow
+      CODESIGN_IDENTITY: ${{ secrets.MACOS_APPLICATION_IDENTITY }}    # gitleaks:allow
+      INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERT }}      # gitleaks:allow
+      PRODUCTSIGN_IDENTITY: ${{ secrets.MACOS_INSTALLER_IDENTITY }}   # gitleaks:allow
+      CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}           # gitleaks:allow
 
-      NOTARIZE_TEAM: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
-      NOTARIZE_USERNAME: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
-      NOTARIZE_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
+      NOTARIZE_TEAM: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}        # gitleaks:allow
+      NOTARIZE_USERNAME: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}   # gitleaks:allow
+      NOTARIZE_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PWD }}        # gitleaks:allow
 
       KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }}
     steps:
@@ -106,17 +106,17 @@ jobs:
         steps.check.outputs.buildarm == 'true' ||
         steps.actual_dryrun.outputs.dryrun == 'true'
       run: |
-        echo $APPLICATION_CERTIFICATE | base64 --decode -o appcert.p12
-        echo $INSTALLER_CERTIFICATE | base64 --decode -o instcert.p12
+        echo $APPLICATION_CERTIFICATE | base64 --decode -o appcert.p12  # gitleaks:allow
+        echo $INSTALLER_CERTIFICATE | base64 --decode -o instcert.p12   # gitleaks:allow
 
         security create-keychain -p "$KEYCHAIN_PWD" build.keychain
         security default-keychain -s build.keychain
         security unlock-keychain -p "$KEYCHAIN_PWD" build.keychain
-        security import appcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/codesign
-        security import instcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/productsign
+        security import appcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/codesign     # gitleaks:allow
+        security import instcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/productsign # gitleaks:allow
         security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PWD" build.keychain &> /dev/null
 
-        xcrun notarytool store-credentials "notarytool-profile" --apple-id "$NOTARIZE_USERNAME" --team-id "$NOTARIZE_TEAM" --password "$NOTARIZE_PASSWORD" &> /dev/null
+        xcrun notarytool store-credentials "notarytool-profile" --apple-id "$NOTARIZE_USERNAME" --team-id "$NOTARIZE_TEAM" --password "$NOTARIZE_PASSWORD" &> /dev/null  # gitleaks:allow
     - name: Build and Sign ARM
       if: steps.check.outputs.buildarm == 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
       working-directory: contrib/pkginstaller

diff --git a/.github/workflows/rerun_cirrus_cron.yml b/.github/workflows/rerun_cirrus_cron.yml
@@ -17,15 +17,15 @@ on:
     # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows
     workflow_call:
       secrets:
-        SECRET_CIRRUS_API_KEY:
+        SECRET_CIRRUS_API_KEY:  # gitleaks:allow
           required : true
-        ACTION_MAIL_SERVER:
+        ACTION_MAIL_SERVER:     # gitleaks:allow
           required: true
-        ACTION_MAIL_USERNAME:
+        ACTION_MAIL_USERNAME:   # gitleaks:allow
           required: true
-        ACTION_MAIL_PASSWORD:
+        ACTION_MAIL_PASSWORD:   # gitleaks:allow
           required: true
-        ACTION_MAIL_SENDER:
+        ACTION_MAIL_SENDER:     # gitleaks:allow
           required: true
 
 env:
@@ -56,7 +56,7 @@ jobs:
             - if: steps.cron.outputs.failures > 0
               shell: bash
               env:
-                SECRET_CIRRUS_API_KEY: ${{ secrets.SECRET_CIRRUS_API_KEY }}
+                SECRET_CIRRUS_API_KEY: ${{ secrets.SECRET_CIRRUS_API_KEY }}  # gitleaks:allow
               run: './.github/actions/check_cirrus_cron/rerun_failed_tasks.sh'
 
             - uses: actions/upload-artifact@v4
@@ -68,11 +68,11 @@ jobs:
               name: Send error notification e-mail
               uses: dawidd6/[email protected]
               with:
-                server_address: ${{secrets.ACTION_MAIL_SERVER}}
+                server_address: ${{secrets.ACTION_MAIL_SERVER}}  # gitleaks:allow
                 server_port: 465
-                username: ${{secrets.ACTION_MAIL_USERNAME}}
-                password: ${{secrets.ACTION_MAIL_PASSWORD}}
+                username: ${{secrets.ACTION_MAIL_USERNAME}}      # gitleaks:allow
+                password: ${{secrets.ACTION_MAIL_PASSWORD}}      # gitleaks:allow
                 subject: Github workflow error on ${{github.repository}}
                 to: ${{env.RCPTCSV}}
-                from: ${{secrets.ACTION_MAIL_SENDER}}
+                from: ${{secrets.ACTION_MAIL_SENDER}}            # gitleaks:allow
                 body: "Job failed: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}"
diff --git a/.github/workflows/upload-win-installer.yml b/.github/workflows/upload-win-installer.yml
@@ -94,11 +94,11 @@ jobs:
       if: steps.Check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
       run: |
           dotnet tool install --global AzureSignTool --version 3.0.0
-          echo "CERT_NAME=${{secrets.AZ_CERT_NAME}}" | Out-File -FilePath $env:GITHUB_ENV -Append
-          echo "VAULT_ID=${{secrets.AZ_VAULT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append
-          echo "APP_ID=${{secrets.AZ_APP_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append
-          echo "TENANT_ID=${{secrets.AZ_TENANT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append
-          echo "CLIENT_SECRET=${{secrets.AZ_CLIENT_SECRET}}" | Out-File -FilePath $env:GITHUB_ENV -Append
+          echo "CERT_NAME=${{secrets.AZ_CERT_NAME}}" | Out-File -FilePath $env:GITHUB_ENV -Append  # gitleaks:allow
+          echo "VAULT_ID=${{secrets.AZ_VAULT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append    # gitleaks:allow
+          echo "APP_ID=${{secrets.AZ_APP_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append        # gitleaks:allow
+          echo "TENANT_ID=${{secrets.AZ_TENANT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append  # gitleaks:allow
+          echo "CLIENT_SECRET=${{secrets.AZ_CLIENT_SECRET}}" | Out-File -FilePath $env:GITHUB_ENV -Append  # gitleaks:allow
     - name: Build
       id: build
       if: steps.check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true'

diff --git a/.gitleaksignore b/.gitleaksignore
@@ -0,0 +1,22 @@
+36e29a843205e05acedd65b559757a49ffbdd19a:pkg/auth/auth_test.go:generic-api-key:17
+36e29a843205e05acedd65b559757a49ffbdd19a:pkg/auth/auth_test.go:generic-api-key:18
+36e29a843205e05acedd65b559757a49ffbdd19a:pkg/auth/auth_test.go:generic-api-key:19
+36e29a843205e05acedd65b559757a49ffbdd19a:pkg/auth/auth_test.go:generic-api-key:20
+36e29a843205e05acedd65b559757a49ffbdd19a:test/certs/domain.key:private-key:1
+36e29a843205e05acedd65b559757a49ffbdd19a:test/e2e/login_logout_test.go:generic-api-key:525
+36e29a843205e05acedd65b559757a49ffbdd19a:test/e2e/login_logout_test.go:generic-api-key:526
+36e29a843205e05acedd65b559757a49ffbdd19a:test/e2e/login_logout_test.go:generic-api-key:572
+36e29a843205e05acedd65b559757a49ffbdd19a:test/e2e/login_logout_test.go:generic-api-key:573
+36e29a843205e05acedd65b559757a49ffbdd19a:test/e2e/login_logout_test.go:generic-api-key:574
+36e29a843205e05acedd65b559757a49ffbdd19a:test/e2e/testdata/sigstore-key.key:private-key:1
+71b3437a814f7b6252fbfd568e3eaef182dd308a:pkg/auth/auth_test.go:generic-api-key:17
+71b3437a814f7b6252fbfd568e3eaef182dd308a:pkg/auth/auth_test.go:generic-api-key:18
+71b3437a814f7b6252fbfd568e3eaef182dd308a:pkg/auth/auth_test.go:generic-api-key:19
+71b3437a814f7b6252fbfd568e3eaef182dd308a:pkg/auth/auth_test.go:generic-api-key:20
+71b3437a814f7b6252fbfd568e3eaef182dd308a:test/e2e/login_logout_test.go:generic-api-key:525
+71b3437a814f7b6252fbfd568e3eaef182dd308a:test/e2e/login_logout_test.go:generic-api-key:526
+71b3437a814f7b6252fbfd568e3eaef182dd308a:test/e2e/login_logout_test.go:generic-api-key:572
+71b3437a814f7b6252fbfd568e3eaef182dd308a:test/e2e/login_logout_test.go:generic-api-key:573
+71b3437a814f7b6252fbfd568e3eaef182dd308a:test/e2e/login_logout_test.go:generic-api-key:574
+71b3437a814f7b6252fbfd568e3eaef182dd308a:test/e2e/play_kube_test.go:generic-api-key:57
+71b3437a814f7b6252fbfd568e3eaef182dd308a:test/e2e/testdata/sigstore-key.key:private-key:1
diff --git a/contrib/cirrus/runner.sh b/contrib/cirrus/runner.sh
@@ -169,7 +169,7 @@ function _run_swagger() {
     local upload_bucket
     local download_url
     local envvarsfile
-    req_env_vars GCPJSON GCPNAME GCPPROJECT CTR_FQIN
+    req_env_vars GCPJSON GCPNAME GCPPROJECT CTR_FQIN  # gitleaks:allow
 
     [[ -x /usr/local/bin/swagger ]] || \
         die "Expecting swagger binary to be present and executable."
@@ -203,25 +203,20 @@ function _run_swagger() {
     # Cirrus-CI Artifact instruction expects file here
     cp -v $GOSRC/pkg/api/swagger.yaml ./
 
-    envvarsfile=$(mktemp -p '' .tmp_$(basename $0)_XXXXXXXX)
-    trap "rm -f $envvarsfile" EXIT  # contains secrets
-    # Warning: These values must _not_ be quoted, podman will not remove them.
     #shellcheck disable=SC2154
-    cat <<eof >>$envvarsfile
-GCPJSON=$GCPJSON
-GCPNAME=$GCPNAME
-GCPPROJECT=$GCPPROJECT
-FROM_FILEPATH=$GOSRC/swagger.yaml
-TO_GCSURI=gs://$upload_bucket/$upload_filename
-eof
+    export FROM_FILEPATH=$GOSRC/swagger.yaml
+
+    #shellcheck disable=SC2154
+    export TO_GCSURI=gs://$upload_bucket/$upload_filename
 
     msg "Waiting for backgrounded podman pull to complete..."
     wait %%
     showrun bin/podman run -it --rm --security-opt label=disable \
-        --env-file=$envvarsfile \
         -v $GOSRC:$GOSRC:ro \
         --workdir $GOSRC \
-        $CTR_FQIN
+        -e FROM_FILEPATH \
+        -e TO_GCSURI \
+        -e GCPJSON -e GCPNAME -e GCPPROJECT $CTR_FQIN  # gitleaks:allow
     rm -f $envvarsfile
 }