Merge pull request #438 from drone-plugins/CI-10849

feat: [CI-10849]: add git-leaks support
corrected external reference
2026-06-04 18:24:24 +08:00 · 2024-05-10 12:39:40 +01:00 · 2024-05-10 11:18:24 +05:30 · 2024-05-10 11:18:24 +05:30 · 2024-04-23 23:34:53 -07:00 · 2024-04-23 22:34:44 +05:30
11 changed files with 182 additions and 34 deletions
@@ -12,7 +12,7 @@ platform:

 steps:
  - name: vet
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - go vet ./...
    environment:
@@ -22,7 +22,7 @@ steps:
        path: /go

  - name: test
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - go test -cover ./...
    environment:
@@ -55,7 +55,7 @@ platform:

 steps:
  - name: go build
-    image: golang:1.21
+    image: golang:1.22
    environment:
      CGO_ENABLED: 0
    commands:
@@ -162,7 +162,7 @@ platform:

 steps:
  - name: go build
-    image: golang:1.21
+    image: golang:1.22
    environment:
      CGO_ENABLED: 0
    commands:
@@ -264,7 +264,7 @@ platform:

 steps:
  - name: build-push
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/amd64/drone-docker ./cmd/drone-docker'
    environment:
@@ -275,7 +275,7 @@ steps:
          - tag

  - name: build-tag
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/amd64/drone-docker ./cmd/drone-docker'
    environment:
@@ -285,7 +285,7 @@ steps:
        - tag

  - name: executable
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - ./release/linux/amd64/drone-docker --help

@@ -329,7 +329,7 @@ platform:

 steps:
  - name: build-push
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/arm64/drone-docker ./cmd/drone-docker'
    environment:
@@ -340,7 +340,7 @@ steps:
          - tag

  - name: build-tag
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/arm64/drone-docker ./cmd/drone-docker'
    environment:
@@ -350,7 +350,7 @@ steps:
        - tag

  - name: executable
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - ./release/linux/arm64/drone-docker --help

@@ -429,7 +429,7 @@ platform:

 steps:
  - name: build-push
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/amd64/drone-gcr ./cmd/drone-gcr'
    environment:
@@ -440,7 +440,7 @@ steps:
          - tag

  - name: build-tag
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/amd64/drone-gcr ./cmd/drone-gcr'
    environment:
@@ -488,7 +488,7 @@ platform:

 steps:
  - name: build-push
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/arm64/drone-gcr ./cmd/drone-gcr'
    environment:
@@ -499,7 +499,7 @@ steps:
          - tag

  - name: build-tag
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/arm64/drone-gcr ./cmd/drone-gcr'
    environment:
@@ -582,7 +582,7 @@ platform:

 steps:
  - name: build-push
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/amd64/drone-gar ./cmd/drone-gar'
    environment:
@@ -593,7 +593,7 @@ steps:
          - tag

  - name: build-tag
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/amd64/drone-gar ./cmd/drone-gar'
    environment:
@@ -641,7 +641,7 @@ platform:

 steps:
  - name: build-push
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/arm64/drone-gar ./cmd/drone-gar'
    environment:
@@ -652,7 +652,7 @@ steps:
          - tag

  - name: build-tag
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/arm64/drone-gar ./cmd/drone-gar'
    environment:
@@ -734,7 +734,7 @@ platform:

 steps:
  - name: build-push
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/amd64/drone-ecr ./cmd/drone-ecr'
    environment:
@@ -744,7 +744,7 @@ steps:
        exclude:
          - tag
  - name: build-tag
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/amd64/drone-ecr ./cmd/drone-ecr'
    environment:
@@ -792,7 +792,7 @@ platform:

 steps:
  - name: build-push
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/arm64/drone-ecr ./cmd/drone-ecr'
    environment:
@@ -802,7 +802,7 @@ steps:
        exclude:
          - tag
  - name: build-tag
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/arm64/drone-ecr ./cmd/drone-ecr'
    environment:
@@ -885,7 +885,7 @@ platform:

 steps:
  - name: build-push
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/amd64/drone-heroku ./cmd/drone-heroku'
    environment:
@@ -895,7 +895,7 @@ steps:
        exclude:
          - tag
  - name: build-tag
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/amd64/drone-heroku ./cmd/drone-heroku'
    environment:
@@ -944,7 +944,7 @@ platform:

 steps:
  - name: build-push
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/arm64/drone-heroku ./cmd/drone-heroku'
    environment:
@@ -954,7 +954,7 @@ steps:
        exclude:
          - tag
  - name: build-tag
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/arm64/drone-heroku ./cmd/drone-heroku'
    environment:
@@ -1035,7 +1035,7 @@ platform:

 steps:
  - name: build-push
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.build=${DRONE_BUILD_NUMBER}" -a -tags netgo -o release/linux/amd64/drone-acr ./cmd/drone-acr'
    environment:
@@ -1045,7 +1045,7 @@ steps:
        exclude:
          - tag
  - name: build-tag
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v} -X main.build=${DRONE_BUILD_NUMBER}" -a -tags netgo -o release/linux/amd64/drone-acr ./cmd/drone-acr'
    environment:
@@ -1093,7 +1093,7 @@ platform:

 steps:
  - name: build-push
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.build=${DRONE_BUILD_NUMBER}" -a -tags netgo -o release/linux/arm64/drone-acr ./cmd/drone-acr'
    environment:
@@ -1104,7 +1104,7 @@ steps:
          - tag

  - name: build-tag
-    image: golang:1.21
+    image: golang:1.22
    commands:
      - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v} -X main.build=${DRONE_BUILD_NUMBER}" -a -tags netgo -o release/linux/arm64/drone-acr ./cmd/drone-acr'
    environment:
@@ -10,6 +10,14 @@

 Drone plugin uses Docker-in-Docker to build and publish Docker images to a container registry. For the usage information and a listing of the available options please take a look at [the docs](http://plugins.drone.io/drone-plugins/drone-docker/).

+### Git Leaks
+
+Run the following script to install git-leaks support to this repo.
+```
+chmod +x ./git-hooks/install.sh
+./git-hooks/install.sh
+```
+
 ## Build

 Build the binaries with the following commands:
@@ -42,6 +42,7 @@ func main() {
 		assumeRole       = getenv("PLUGIN_ASSUME_ROLE")
 		externalId       = getenv("PLUGIN_EXTERNAL_ID")
 		scanOnPush       = parseBoolOrDefault(false, getenv("PLUGIN_SCAN_ON_PUSH"))
+		idToken          = os.Getenv("PLUGIN_OIDC_TOKEN_ID") 
 	)

 	// set the region
@@ -61,7 +62,7 @@ func main() {
 		log.Fatal(fmt.Sprintf("error creating aws session: %v", err))
 	}

-	svc := getECRClient(sess, assumeRole, externalId)
+	svc := getECRClient(sess, assumeRole, externalId, idToken)
 	username, password, defaultRegistry, err := getAuthInfo(svc)

 	if registry == "" {
@@ -213,11 +214,15 @@ func getenv(key ...string) (s string) {
 	return
 }

-func getECRClient(sess *session.Session, role string, externalId string) *ecr.ECR {
+func getECRClient(sess *session.Session, role string, externalId string, idToken string) *ecr.ECR {
 	if role == "" {
 		return ecr.New(sess)
 	}
-	if externalId != "" {
+	// Use STS AssumeRoleWithWebIdentity when idToken is provided
+	if idToken != "" {
+		creds := stscreds.NewWebIdentityCredentials(sess, role, "", idToken)
+		return ecr.New(sess, &aws.Config{Credentials: creds})
+	} else if externalId != "" {
 		return ecr.New(sess, &aws.Config{
 			Credentials: stscreds.NewCredentials(sess, role, func(p *stscreds.AssumeRoleProvider) {
 				p.ExternalID = &externalId
@@ -0,0 +1,8 @@
+This document explains on how to install certain git hooks globally for all repositories in your machine.
+
+Step 1: git clone https://github.com/drone-plugins/drone-docker.git
+Step 2: cd git-hooks
+Step 3: Run install.sh
+
+"install.sh" script will create .git_template in the user directory and will put the git hook and its dependent scripts in it. Along with the .git_template folder, it will add 2 sections "init" and "hooks boolean" in the .gitconfig file in the same user's root directory.
+After running "install.sh" if you create/clone a new git repository then all the hooks will get install automatically for the git repository. In case of existing git repository copy the contents of ~/.git_template/hooks into the .git/hooks directory of existing git repository.
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+#Helper script to be used as a pre-commit hook.
+
+echo "This hook checks for any secrets getting pushed as part of commit. If you feel that scan is false positive. \
+Then add the exclusion in .gitleaksignore file. For more info visit: https://github.com/zricethezav/gitleaks"
+
+GIT_LEAKS_PRE_COMMIT=s$(git config --bool hook.pre-commit.gitleak)
+
+echo "INFO: Scanning Commits information for any GIT LEAKS"
+gitleaks protect --staged -v --exit-code=100
+STATUS=$?
+if [ $STATUS = 100  ]; then
+    echo "WARNING: GIT LEAKS has detected sensitive information in your changes. Please remove them or add them (IF NON-SENSITIVE) in .gitleaksignore file."
+else
+    exit 0
+fi
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+#Helper script to be used as a pre-commit hook.
+
+echo "This hook checks for any secrets getting pushed as part of commit. If you feel that scan is false positive. \
+Then add the exclusion in .gitleaksignore file. For more info visit: https://github.com/zricethezav/gitleaks"
+
+GIT_LEAKS=$(git config --bool hook.pre-push.gitleaks)
+
+echo "INFO: Scanning Commits information for any GIT LEAKS"
+gitleaks detect -s ./ --log-level=debug --log-opts=-1 -v
+STATUS=$?
+if [ $STATUS != 0  ]; then
+    echo "WARNING: GIT LEAKS has detected sensitive information in your changes. Please remove them or add them (IF NON-SENSITIVE) in .gitleaksignore file."
+    exit $STATUS
+else
+    exit 0
+fi
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+GL_SCRIPT_PATH="$HOME/.git_template/hooks/git-leaks-pre-commit.sh"
+
+pushd `dirname $0` > /dev/null && cd ../.. && BASEDIR=$(pwd -L) && popd > /dev/null
+BASENAME=`basename $0`
+
+if git rev-parse --verify HEAD >/dev/null 2>&1
+then
+    against=HEAD
+else
+    #Initial commit : diff against an empty tree object
+    against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
+fi
+
+GIT_LEAKS_PRE_COMMIT=hook.pre-commit.gitleaks
+if [ "`git config $GIT_LEAKS_PRE_COMMIT`" == "false" ]
+then
+    echo -e '\033[0;31m' checking git leaks is disabled - to enable: '\033[0;37m'git config --unset $GIT_LEAKS_PRE_COMMIT '\033[0m'
+    echo -e '\033[0;34m' checking git leaks  ... to enable: '\033[0;37m'git config --add $GIT_LEAKS_PRE_COMMIT true '\033[0m'
+else
+    echo -e '\033[0;34m' checking for git leaks...
+    [ -f "${GL_SCRIPT_PATH}" ] && . ${GL_SCRIPT_PATH} || echo "ERROR: Hook Script Not Found..." && exit 404
+fi
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+GL_SCRIPT_PATH="$HOME/.git_template/hooks/git-leaks.sh"
+
+pushd `dirname $0` > /dev/null && cd ../.. && BASEDIR=$(pwd -L) && popd > /dev/null
+BASENAME=`basename $0`
+
+if git rev-parse --verify HEAD >/dev/null 2>&1
+then
+    against=HEAD
+else
+    #Initial commit : diff against an empty tree object
+    against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
+fi
+
+GIT_LEAKS=hook.pre-push.gitleaks
+if [ "`git config $GIT_LEAKS`" == "false" ]
+then
+    echo -e '\033[0;31m' checking git leaks is disabled - to enable: '\033[0;37m'git config --unset $GIT_LEAKS '\033[0m'
+    echo -e '\033[0;34m' checking git leaks  ... to enable: '\033[0;37m'git config --add $GIT_LEAKS true '\033[0m'
+else
+    echo -e '\033[0;34m' checking for git leaks...
+    [ -f "${GL_SCRIPT_PATH}" ] && . ${GL_SCRIPT_PATH} || echo "ERROR: Hook Script Not Found..." && exit 404
+fi
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+#Function to check if package is installed or not
+#args: $1: Name of the Package
+function check_package_installed() {
+  LOCAL_PACKAGE_NAME=$1
+  echo "Checking if $LOCAL_PACKAGE_NAME is installed or not..."
+  brew list $LOCAL_PACKAGE_NAME
+  if [ "$?" -eq 1 ];then
+    echo "Installing $LOCAL_PACKAGE_NAME package..."
+    brew install $LOCAL_PACKAGE_NAME
+  fi
+}
+
+function create_git_template() {
+    cd $BASEDIR
+    mkdir -p ~/.git_template/hooks
+    git config --global init.templatedir ${GIT_TEMPLATE}
+    git config --global --add $GIT_LEAKS true
+    git config --global --add $GIT_LEAKS_PRE_COMMIT true
+    find hooks/ -type f -exec cp "{}" ~/.git_template/hooks \;
+    #cp -f hooks/* ~/.git_template/hooks
+    cat ~/.gitconfig
+}
+
+GIT_TEMPLATE="~/.git_template"
+GIT_LEAKS=hook.pre-push.gitleaks
+GIT_LEAKS_PRE_COMMIT=hook.pre-commit.gitleaks
+
+pushd `dirname $0` && BASEDIR=$(pwd -L) && popd
+
+echo This script will install hooks that run scripts that could be updated without notice.
+
+while true; do
+    read -p "Do you wish to install these hooks?" yn
+    case $yn in
+        [Yy]* ) check_package_installed "gitleaks";
+                break;;
+        [Nn]* ) exit;;
+        * ) echo "Please answer yes or no.";;
+    esac
+done
+
+create_git_template
@@ -39,4 +39,4 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

-go 1.21
+go 1.22
Author	SHA1	Message	Date
Vistaar Juneja	7c8c6ca9cb	Merge pull request #438 from drone-plugins/CI-10849 feat: [CI-10849]: add git-leaks support	2024-05-10 12:39:40 +01:00
abhay084	87212938c2	corrected external reference	2024-05-10 11:18:24 +05:30
abhay084	3c4c8e5f10	feat: [CI-10849]: add git-leaks support	2024-05-10 11:18:24 +05:30
Dinesh Garg	b009c711b5	Merge pull request #439 from Ompragash/patch-1 Added PLUGIN_OIDC_TOKEN_ID support	2024-04-23 23:34:53 -07:00
OP (oppenheimer)	12cc40aa62	Added PLUGIN_OIDC_TOKEN_ID support	2024-04-23 22:34:44 +05:30
Hen Amar	a807dc91eb	Merge pull request #437 from drone-plugins/scheduled_go_upgrade2024-03-04_08-03-22 Update go Version in all files	2024-03-06 11:52:44 +02:00
rahkumar56	e0ceb37f24	Update GO Version to latest version in all the files	2024-03-04 08:05:22 +00:00