msgraph-sdk-javascript icon indicating copy to clipboard operation
msgraph-sdk-javascript copied to clipboard
verified publisher icon microsoftgraph

CredScan as a pre-commit git hook

Open nikithauc opened this issue 3 years ago • 8 comments

nikithauc avatar Apr 01 '22 21:04 nikithauc

Should this be called "CredScan as a PR gate" instead? As far as I understand, pre-commit hook is a dev setup thing. Unless this issue refers to something else that I am not aware of..

cc: @MIchaelMainer

zengin avatar Apr 12 '22 03:04 zengin

PR is too late, secrets are already pushed to public, threat actors may have already consumed them. This is a dev setup thing. Now to think of it, not really a work item JS repo.

MIchaelMainer avatar Apr 12 '22 04:04 MIchaelMainer

@MIchaelMainer we are adding it as a gate too in Raptor in case the secrets slip through from the dev setup: https://github.com/microsoftgraph/msgraph-sdk-raptor/pull/955.

zengin avatar Apr 12 '22 18:04 zengin

Yes, as a gate, that's good. I still want everyone running CredScan locally. ☺️

MIchaelMainer avatar Apr 12 '22 18:04 MIchaelMainer

pre-commit hook + gate then?

nikithauc avatar Apr 12 '22 22:04 nikithauc

I'd say yes. One is to prevent it from happening, the other is to catch if it happens. I think we have a way to catch it after the check-in by default security scanning tools, but the earlier we catch, the better.

zengin avatar Apr 13 '22 01:04 zengin

That said, as @MIchaelMainer said, "pre-commit hook" is not really a work item specific to the repo.

zengin avatar Apr 13 '22 01:04 zengin

@zengin Yes, we should also have this as PR gate.

MIchaelMainer avatar Apr 18 '22 17:04 MIchaelMainer