Talisman pre-commit hook secrets scanning #233
Conversation
|
|
| allow if { | ||
| some repo_id | ||
| repo_data := parsed_data.repos[repo_id] | ||
| endswith(repo_data["repo"], "https://github.com/thoughtworks/talisman") |
There was a problem hiding this comment.
I see we're checking for the hook coming from this repo to be set. Do we want to check the hook entries as well though?
I mean:
- id: talisman-commit
entry: cmd --githook pre-commit
We can iterate the hooks and verify those.
There was a problem hiding this comment.
yes, this is a good idea...
I was wondering though. If we add such complex business logic for each rule concerning pre-commit, and then copy paste the exact same code for every imaginable pre-commit hook, then we are creating a maintenance nightmare 🤔
so I guess we could add a helper function in minder for this (like we have for github actions), or else we could convert this rule into a parametric rule where you have to specify which hook you want to enforce?
There was a problem hiding this comment.
mm yep, maybe makes sense to match the mandatory fields right
There was a problem hiding this comment.
convert this rule into a parametric rule where you have to specify which hook you want to enforce?
which kinda raises the question if we can somehow support "partial application" of rule types, i. e. we make a generic rule type that takes 1 argument as required configuration, and we build other rule types that re-use that parametric rule type, but don't require any parameters 🤔
There was a problem hiding this comment.
this is a really good idea. I haven't really figured out how this would look like in terms of implementation, but I can definitely see us supporting libraries... Let me give this some thought. Can you add an entry in the Gaps tracker?
There was a problem hiding this comment.
Gaps tracker?
what is that
edit: nevermind, I realized that it's in the spreadsheet
Co-authored-by: Dániel Kántor <[email protected]>
co-author @kantord