-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathcaulked.bats
135 lines (110 loc) · 3.61 KB
/
caulked.bats
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
#! ./test/bats/bin/bats
#
# bats test file for testing that caulking
# prevents leaking secrets.
#
# Bug bounty and HackerOne folks - do not report this
# file. These are all fake/obsolete keys.
#
# Prerequisites:
# * gitleaks and rules are installed with `
# make clean_gitleaks install`
# Running Tests:
# make audit
#
# Development note: These tests all assume that your root
# ~/.git-support/gitleaks.toml are up to date. If you're testing
# `local.toml` then use `development.bats` (or use `make patterns`
# before `make audit`)
load test_helper
@test "leak prevention allows plain text, check 'git config --global -l' on failure" {
echo "Debug: Starting plain text test" >&2
echo "Debug: Current PATH: $PATH" >&2
echo "Debug: Gitleaks location: $(which gitleaks)" >&2
echo "Debug: Git hooks path: $(git config --global core.hookspath)" >&2
run addFileWithNoSecrets
echo "Debug: Test exit status: $status" >&2
echo "Debug: Test output:" >&2
echo "$output" >&2
[ ${status} -eq 0 ]
assert_output --partial "no leaks found"
}
@test "leak prevention catches unstaged aws secrets in test repo" {
run unstagedFileWithAwsSecrets
[ ${status} -eq 1 ]
}
@test "leak prevention catches aws secrets in test repo" {
run addFileWithAwsSecrets
[ ${status} -eq 1 ]
}
@test "leak prevention catches aws accesskey in test repo" {
run addFileWithAwsAccessKey
[ ${status} -eq 1 ]
}
@test "leak prevention catches normal email addresses in test repo" {
run addFileWithSecretEmail
[ ${status} -eq 1 ]
}
@test "leak prevention catches Slack api token in test repo" {
run addFileWithSlackAPIToken
[ ${status} -eq 1 ]
}
@test "leak prevention catches IPv4 address in test repo" {
run addFileWithIPv4
[ ${status} -eq 1 ]
}
@test "repo runs gitleaks and local githooks" {
run testLocalGitHook
assert_output --partial "foobar"
assert_output --partial "no leaks found"
}
@test "repos have hooks.gitleaks set to true" {
./check_repos.sh $HOME check_hooks_gitleaks >&3
}
@test "repos are not overriding the core hooks path" {
./check_repos.sh $HOME check_hooks_path >&3
}
@test "the ~/.aws directory is free of AWS keys" {
if [ -d ~/.aws ]; then
run grep -rq 'AKIA' $HOME/.aws
[ ${status} -eq 1 ]
else
true
fi
}
@test "git configuration uses a @gsa.gov email" {
if [ $CI = 'true' ]; then
skip "Skipping test in CI"
fi
./check_repos.sh $HOME check_user_email >&3
}
@test "it catches yaml with encryption key" {
run yamlTest "development-enc-key: aich3thei2ieCai0choyohg9Iephoh8I"
[ ${status} -eq 1 ]
}
@test "it catches yaml with auth pass" {
run yamlTest "development-auth-pass: woothothae5IezaiD8gu0eiweKui4sah"
[ ${status} -eq 1 ]
}
@test "it is on the latest commit, on failure run: git pull; git checkout main" {
if [ "${GITHUB_ACTIONS}" = "true" ] ; then
skip "Attention: GITHUB_ACTIONS is true"
fi
# Get current branch name
local current_branch=$(git rev-parse --abbrev-ref HEAD)
# Skip test if not on main branch
if [ "$current_branch" != "main" ]; then
skip "Not on main branch (current: $current_branch)"
fi
URL=https://github.com/cloud-gov/caulking.git
git_head=$(git ls-remote $URL HEAD | cut -f1)
local_head=$(git rev-parse HEAD)
# Print diagnostic information if test fails
if [ "$git_head" != "$local_head" ]; then
echo "Remote HEAD: $git_head"
echo "Local HEAD: $local_head"
echo "To update: git pull origin main"
fi
run test "$git_head" = "$local_head"
assert_success
}