Skip to content

HelpersTask622_gitleaks_doesnt_run_in_submodules_2 #664

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

HelpersTask622_gitleaks_doesnt_run_in_submodules_2 #664

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
f9c3e3f
Checkpoint
heanhsok May 5, 2025
570f415
Checkpoint
heanhsok May 5, 2025
fba1e01
Checkpoint
heanhsok May 5, 2025
fcfdca0
Merge branch 'master' into HelpersTask622_gitleaks_doesnt_run_in_subm…
heanhsok May 5, 2025
8329034
Checkpoint
heanhsok May 5, 2025
51cd5d5
Merge branch 'HelpersTask622_gitleaks_doesnt_run_in_submodules_2' of …
heanhsok May 5, 2025
001cb70
Lint
heanhsok May 6, 2025
eb81c23
Merge branch 'master' into HelpersTask622_gitleaks_doesnt_run_in_subm…
heanhsok May 7, 2025
9c6e4e0
Merge branch 'master' into HelpersTask622_gitleaks_doesnt_run_in_subm…
heanhsok May 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/gitleaks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,4 +39,4 @@ jobs:
GITLEAKS_ENABLE_COMMENTS: false
GITLEAKS_ENABLE_SUMMARY: true
GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false
GITLEAKS_CONFIG: .github/gitleaks-rules.toml
GITLEAKS_CONFIG: ./dev_scripts_helpers/git/gitleaks/gitleaks-rules.toml
30 changes: 12 additions & 18 deletions dev_scripts_helpers/git/git_hooks/utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
import dev_scripts_helpers.git.git_hooks.utils as dshgghout
"""

# NOTE: This file should depend only on Python standard libraries.
import compileall
import inspect
import logging
Expand All @@ -15,6 +14,8 @@
import sys
from typing import Any, List, Optional, Tuple

import helpers.hgit as hgit

_LOG = logging.getLogger(__name__)

# TODO(gp): Check these hooks
Expand Down Expand Up @@ -468,29 +469,22 @@ def check_python_compile(
# #############################################################################


def get_git_root_dir() -> str:
"""
Return the absolute path to the outermost Git repository root.

If inside a Git submodule, this returns the parent (superproject)
root. Otherwise, it returns the current repository's root.

:return: absolute path to the outermost Git repository root
"""
cmd = "git rev-parse --show-superproject-working-tree --show-toplevel | head -n1"
_, git_root_dir = _system_to_string(cmd)
git_root_dir = git_root_dir.strip()
return git_root_dir


def check_gitleaks(abort_on_error: bool = True) -> None:
"""
Check that the code does not contain any leaked secrets.
"""
func_name = _report()
git_root_dir = get_git_root_dir()
# Find relative path from the git root to the helpers root.
git_root_dir = hgit.find_git_root()
helpers_root_dir = hgit.find_helpers_root()
Copy link
Contributor Author

@heanhsok heanhsok May 5, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • I realize we'll be copying a lot of code from hgit for these two functions
  • Since Git hooks are now installed and run after our thin client is activated, should we consider using the helpers module?
  • This script is already somewhat coupled to the helpers, especially with the introduction of the gitleaks config path in dev_script_XYZ dir
  • To keep things decoupled, we can also just copy all the functions needed (although a lot of codes) as well

WDYT? @gpsaggese

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree. Let's just import helpers and embrace it that a piece of the infra checking on the code depends on the code itself.

In an ideal world the git hooks should be a prod container (like the linter), but it is too paranoid

rel_path = os.path.relpath(helpers_root_dir, git_root_dir)
# Find the gitleaks config file.
config_path = os.path.join(
"/app", rel_path, "dev_scripts_helpers/git/gitleaks"
)
config_path = os.path.normpath(config_path)
cmd = f"""
docker run -v {git_root_dir}:/app zricethezav/gitleaks:latest -c /app/.github/gitleaks-rules.toml git /app --pre-commit --staged --verbose
docker run -v {git_root_dir}:/app zricethezav/gitleaks:latest -c {config_path}/gitleaks-rules.toml git /app --pre-commit --staged --verbose
"""
_LOG.debug("cmd='%s'", cmd)
rc, txt = _system_to_string(cmd, abort_on_error=False)
Expand Down
0 .github/gitleaks-rules.toml → ..._helpers/git/gitleaks/gitleaks-rules.toml
View file
Open in desktop
File renamed without changes.
Loading