Create detect-secrets action (#1)

.github/renovate.json

@@ -0,0 +1,8 @@
+{
+  "extends": [
+    "config:base"
+  ],
+  "labels": [
+    "bump:patch"
+  ]
+}

.github/workflows/depup.yml

@@ -0,0 +1,34 @@
+---
+name: depup
+
+on:
+  schedule:
+  - cron:  '14 14 * * *' # Runs at 14:14 UTC every day
+  repository_dispatch:
+    types: [depup]
+
+jobs:
+  reviewdog:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: haya14busa/action-depup@v1
+      id: depup
+      with:
+        file: Dockerfile
+        version_name: REVIEWDOG_VERSION
+        repo: reviewdog/reviewdog
+
+    - name: Create Pull Request
+      uses: peter-evans/create-pull-request@v3
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        title: "chore(deps): update reviewdog to ${{ steps.depup.outputs.latest }}"
+        commit-message: "chore(deps): update reviewdog to ${{ steps.depup.outputs.latest }}"
+        body: |
+          Update reviewdog to [v${{ steps.depup.outputs.latest }}](https://github.com/reviewdog/reviewdog/releases/tag/v${{ steps.depup.outputs.latest }})
+          Compare [v${{ steps.depup.outputs.current }}...v${{ steps.depup.outputs.latest }}](https://github.com/reviewdog/reviewdog/compare/v${{ steps.depup.outputs.current }}...v${{ steps.depup.outputs.latest }})
+          This PR is auto generated by [depup workflow](https://github.com/${{ github.repository }}/actions?query=workflow%3Adepup).
+        branch: depup/reviewdog
+        base: master
+        labels: "bump:minor"

.github/workflows/dockerimage.yml

@@ -0,0 +1,16 @@
+---
+name: dockerimage
+
+on:
+  push:
+    branches:
+    - master
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Build the Docker image
+      run: docker build . --file Dockerfile --tag reviewdog-detect-secrets:$(date +%s)

.github/workflows/release.yml

@@ -0,0 +1,61 @@
+---
+name: release
+
+on:
+  push:
+    branches:
+    - master
+    tags:
+    - v*.*.*
+  pull_request:
+    types:
+    - labeled
+
+jobs:
+  release:
+    if: github.event.action != 'labeled'
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+
+    # Bump version on merging Pull Requests with specific labels.
+    # (bump:major,bump:minor,bump:patch)
+    - id: bumpr
+      if: "!startsWith(github.ref, 'refs/tags/')"
+      uses: haya14busa/action-bumpr@v1
+
+    # Update corresponding major and minor tag.
+    # e.g. Update v1 and v1.2 when releasing v1.2.3
+    - uses: haya14busa/action-update-semver@v1
+      if: "!steps.bumpr.outputs.skip"
+      with:
+        tag: ${{ steps.bumpr.outputs.next_version }}
+
+    # Get tag name.
+    - id: tag
+      uses: haya14busa/action-cond@v1
+      with:
+        cond: "${{ startsWith(github.ref, 'refs/tags/') }}"
+        if_true: ${{ github.ref }}
+        if_false: ${{ steps.bumpr.outputs.next_version }}
+
+    # Create release.
+    - uses: actions/create-release@v1
+      if: "steps.tag.outputs.value != ''"
+      env:
+        # This token is provided by Actions, you do not need to create your own token
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        tag_name: ${{ steps.tag.outputs.value }}
+        release_name: Release ${{ steps.tag.outputs.value }}
+        body: ${{ steps.bumpr.outputs.message }}
+        draft: false
+        prerelease: false
+
+  release-check:
+    if: github.event.action == 'labeled'
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Post bumpr status comment
+      uses: haya14busa/action-bumpr@v1

.github/workflows/reviewdog.yml

@@ -0,0 +1,17 @@
+---
+name: reviewdog
+
+on:
+  pull_request:
+
+jobs:
+  detect-secrets:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: detect-secrets
+      uses: ./
+      with:
+        github_token: ${{ secrets.github_token }}
+        reporter: github-pr-review
+        workdir: ./testdata

.github/workflows/update-semver.yml

@@ -0,0 +1,18 @@
+---
+name: update-semver
+
+on:
+  push:
+    branches-ignore:
+    - "**"
+    tags:
+    - v*.*.*
+
+jobs:
+  runner:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: haya14busa/action-update-semver@v1
+      with:
+        github_token: ${{ secrets.github_token }}

Dockerfile

@@ -0,0 +1,19 @@
+# syntax=docker/dockerfile:experimental
+FROM python:3.9.2-slim-buster
+
+ENV REVIEWDOG_VERSION=v0.11.0
+
+RUN --mount=type=tmpfs,target=/tmp \
+    --mount=type=tmpfs,target=/var/lib/apt \
+    set -eux \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends \
+        git \
+        wget \
+    && wget -O - -q https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh| sh -s -- -b /usr/local/bin/ ${REVIEWDOG_VERSION} \
+    && pip install detect-secrets
+
+COPY baseline2rdf.py /usr/local/bin/baseline2rdf
+COPY entrypoint.sh /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 levonet
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,56 @@
+# GitHub Action: Run detect-secrets with reviewdog
+
+This action runs [detect-secrets](https://github.com/Yelp/detect-secrets) with
+[reviewdog](https://github.com/reviewdog/reviewdog) on pull requests to improve
+code review experience.
+
+## Inputs
+
+### `github_token`
+
+**Required**. Must be in form of `github_token: ${{ secrets.github_token }}`'.
+
+### `workdir`
+
+Optional. The directory from which to look for and run detect-secrets. Default '.'
+
+### `filter_mode`
+
+Optional. Reviewdog filter mode [added, diff_context, file, nofilter]
+It's the same as the `-filter-mode` flag of reviewdog.
+
+### `fail_on_error`
+
+Whether reviewdog should fail when errors are found. [true,false]
+This is useful for failing CI builds in addition to adding comments when errors are found.
+It's the same as the `-fail-on-error` flag of reviewdog.
+
+### `level`
+
+Optional. Report level for reviewdog [info,warning,error].
+It's same as `-level` flag of reviewdog.
+
+### `reporter`
+
+Reporter of reviewdog command [github-pr-check,github-pr-review,github-check].
+Default is github-pr-check.
+github-pr-review can use Markdown and add a link to rule page in reviewdog reports.
+
+## Example usage
+
+### [.github/workflows/reviewdog.yml](.github/workflows/reviewdog.yml)
+
+```yml
+name: reviewdog
+on: [pull_request]
+jobs:
+  detect-secrets:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: detect-secrets
+      uses: levonet/action-detect-secrets@master
+      with:
+        github_token: ${{ secrets.github_token }}
+        reporter: github-pr-review # Change reporter.
+```

action.yml

@@ -0,0 +1,33 @@
+name: Run detect-secrets with reviewdog
+description: 🐶 Run detect-secrets with reviewdog on pull requests to improve code review experience.
+inputs:
+  github_token:
+    description: GITHUB_TOKEN.
+    required: true
+  name:
+    description: Report name
+    default: detect-secrets
+  workdir:
+    description: "The directory from which to look for and run detect-secrets. Default: '.'"
+    default: "."
+  filter_mode:
+    description: Reviewdog filter mode [added, diff_context, file, nofilter]
+    default: added
+  fail_on_error:
+    description: Whether reviewdog should fail when errors are found. [true,false] - This is useful for failing CI builds.
+    default: "false"
+  level:
+    description: Report level for reviewdog [info,warning,error]
+    default: error
+  reporter:
+    description: |
+      Reporter of reviewdog command [github-pr-check,github-pr-review,github-check].
+      Default is github-pr-check.
+      github-pr-review can use Markdown and add a link to rule page in reviewdog reports.
+    default: 'github-pr-check'
+runs:
+  using: docker
+  image: Dockerfile
+branding:
+  icon: shield
+  color: green

baseline2rdf.py

@@ -0,0 +1,53 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+import sys
+import json
+
+rdjson = {
+    'source': {
+        'name': 'detect-secrets',
+        'url': 'https://github.com/Yelp/detect-secrets'
+    },
+    'severity': 'ERROR',
+    'diagnostics': []
+}
+
+
+def main():
+    baseline = json.load(sys.stdin)
+    if not baseline['results']:
+        baseline['results'] = {}
+
+    results = {}
+    for detects in baseline['results'].values():
+        for item in detects:
+            key = '%s:%s' % (item['filename'], item['line_number'])
+            if key in results:
+                results[key]['message'] += '\n* ' + item['type']
+            else:
+                results[key] = {
+                    'message': '* ' + item['type'],
+                    'location': {
+                        'path': item['filename'],
+                        'range': {
+                            'start': {
+                                'line': item['line_number']
+                            }
+                        }
+                    }
+                }
+
+    for result in results.values():
+        rdjson['diagnostics'].append(result)
+
+    try:
+        sys.stdout.write(json.dumps(rdjson, indent=2, ensure_ascii=False))
+        sys.stdout.write('\n')
+    except Exception as error:
+        sys.stderr.write('Error: %s\n' % error)
+        return 1
+    return 0
+
+
+if __name__ == '__main__':
+    sys.exit(main())

entrypoint.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+cd "${GITHUB_WORKSPACE}/${INPUT_WORKDIR}" || exit 1
+
+export REVIEWDOG_GITHUB_API_TOKEN="${INPUT_GITHUB_TOKEN}"
+
+detect-secrets --version
+
+detect-secrets scan --all-files --force-use-all-plugins \
+    | baseline2rdf \
+    | reviewdog -f=rdjson \
+        -name="${INPUT_NAME:-detect-secrets}"
+        -filter-mode="${INPUT_FILTER_MODE:-added}" \
+        -reporter="${INPUT_REPORTER:-github-pr-check}" \
+        -fail-on-error="${INPUT_FAIL_ON_ERROR}" \
+        -level="${INPUT_LEVEL}" \

testdata/application.properties

@@ -0,0 +1,4 @@
+
+spring.redis.password = reviewdog2022
+
+spring.datasource.password = <placeholder>

testdata/config.yaml

@@ -0,0 +1,3 @@
+---
+token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.cThIIoDvwdueQB468K5xDc5633seEFoqwxjF_xSJyQQ
+aws_secret_key: 23456789a1

testdata/file_with_secrets.py

@@ -0,0 +1,11 @@
+#!/usr/bin/python
+# Will change this later.
+SUPER_SECRET_VALUES = '60b725f10c9c85c70d97880dfe8191b3', '3b5d5c3712955042212316173ccf37be'
+
+
+def main():
+    print('Hello world!')
+
+
+if __name__ == '__main__':
+    main()