New: [AEA-4540] - Add secret scanning (#5)

## Summary

- ✨ New Feature

### Details

Add a step which runs the secret scanning container given
[here](https://github.com/NHSDigital/software-engineering-quality-framework/blob/main/tools/nhsd-git-secrets/nhsd-git-secrets.dockerfile)

Author: wildjames

.devcontainer/Dockerfile

@@ -9,7 +9,7 @@ RUN apt-get update \
     jq apt-transport-https ca-certificates gnupg-agent \
     software-properties-common bash-completion python3-pip make libbz2-dev \
     libreadline-dev libsqlite3-dev wget llvm libncurses5-dev libncursesw5-dev \
-    xz-utils tk-dev liblzma-dev netcat libyaml-dev
+    xz-utils tk-dev liblzma-dev netcat libyaml-dev pre-commit
 
 USER vscode
 

.devcontainer/devcontainer.json

@@ -15,7 +15,15 @@
       "source=${env:HOME}${env:USERPROFILE}/.npmrc,target=/home/vscode/.npmrc,type=bind"
     ],
     "containerUser": "vscode",
-    "features": {},
+    "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" },
+    "postAttachCommand": "docker build -f /workspaces/eps-workflow-quality-checks/dockerfiles/nhsd-git-secrets.dockerfile -t git-secrets . && pre-commit install --install-hooks -f",
+    "features": {
+      "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {
+        "version": "latest",
+        "moby": "true",
+        "installDockerBuildx": "true"
+      }
+    },
     "customizations": {
       "vscode": {
         "extensions": [

.github/workflows/quality-checks.yml

@@ -4,18 +4,62 @@ on:
   workflow_call:
     secrets:
       SONAR_TOKEN:
-        required: true
+        required: false
+    inputs:
+      install_java:
+        type: boolean
+        description: "If true, the action will install java into the runner, separately from ASDF."
+        default: false
+        required: false
 
 jobs:
   quality_checks:
     runs-on: ubuntu-22.04
     steps:
+      - uses: actions/setup-java@v4
+        if: ${{ inputs.install_java }}
+        with:
+          java-version: '21'
+          distribution: 'corretto'
+
       - name: Checkout code
         uses: actions/checkout@v4
         with:
           ref: ${{ env.BRANCH_NAME }}
           fetch-depth: 0
 
+      # Must be done before anything installs, or it will check dependencies for secrets too.
+      - name: Ensure .gitallowed exists, for secret scanning
+        run: |
+          if [ ! -f ".gitallowed" ]; then
+            echo "Creating empty .gitallowed file"
+            touch .gitallowed
+            fi
+          echo "./nhsd-rules-deny.txt:10" >> .gitallowed
+          echo "Allowing the following regex patterns:"
+          cat .gitallowed
+
+      - name: Install git-secrets
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y git curl
+          git clone https://github.com/awslabs/git-secrets.git /tmp/git-secrets
+          cd /tmp/git-secrets
+          sudo make install
+
+      - name: Download regex patterns
+        run: |
+          curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o nhsd-rules-deny.txt
+
+      - name: Configure git-secrets
+        run: |
+          git-secrets --register-aws
+          git-secrets --add-provider -- cat nhsd-rules-deny.txt
+
+      - name: Run secrets scan
+        run: |
+          git-secrets --scan-history .
+
       # using git commit sha for version of action to ensure we have stable version
       - name: Install asdf
         uses: asdf-vm/actions/setup@05e0d2ed97b598bfce82fd30daf324ae0c4570e6
@@ -258,9 +302,17 @@ jobs:
 
       - name: Generate and check SBOMs
         uses: NHSDigital/eps-action-sbom@main
-  
+
+      - name: "check is SONAR_TOKEN exists"
+        env: 
+            super_secret: ${{ secrets.SONAR_TOKEN }}
+        if: ${{ env.super_secret != '' }}
+        run: echo "RUN_SONAR=true" >> "$GITHUB_ENV"
+
+      
       - name: SonarCloud Scan
         uses: SonarSource/sonarcloud-github-action@master
+        if: ${{ env.RUN_SONAR == 'true' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.pre-commit-config.yaml

@@ -0,0 +1,11 @@
+repos:
+- repo: local
+  hooks:
+    - id: git-secrets
+      name: Git Secrets
+      description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories.
+      entry: bash
+      args:
+        - -c
+        - 'docker run -v "$LOCAL_WORKSPACE_FOLDER:/src" git-secrets --pre_commit_hook'
+      language: system

README.md

@@ -5,12 +5,49 @@ A workflow to run the quality checks for EPS repositories. The steps executed by
 - **Generate and Check SBOMs**: Creates Software Bill of Materials (SBOMs) to track dependencies for security and compliance. Uses [THIS](https://github.com/NHSDigital/eps-action-sbom) action.
 - **Run Linting**
 - **Run Unit Tests**
+- **Scan git history for secrets**: Scans for secret-like patterns, using https://github.com/NHSDigital/software-engineering-quality-framework/blob/main/tools/nhsd-git-secrets/git-secrets
 - **SonarCloud Scan**: Performs code analysis using SonarCloud to detect quality issues and vulnerabilities.
 - **Validate CloudFormation Templates** (*Conditional*): If CloudFormation, AWS SAM templates or CDK are present, runs `cfn-lint` (SAM and cloudformation only) and `cfn-guard` to validate templates against AWS best practices and security rules.
 - **CDK Synth** (*Conditional*): Runs `make cdk-synth` if packages/cdk folder exists
 - **Check Licenses**: Runs `make check-licenses`.
 - **Check Python Licenses** (*Conditional*): If the project uses Poetry, scans Python dependencies for incompatible licenses.
 
+The secret scanning also has a dockerfile, which can be run against a repo in order to scan it manually (or as part of pre-commit hooks). This can be done like so:
+```bash
+docker build -f https://raw.githubusercontent.com/NHSDigital/eps-workflow-quality-checks/refs/tags/v3.0.0/dockerfiles/nhsd-git-secrets.dockerfile -t git-secrets .
+docker run -v /path/to/repo:/src git-secrets --scan-history .
+```
+For usage of the script, see the [source repo](https://github.com/NHSDigital/software-engineering-quality-framework/blob/main/tools/nhsd-git-secrets/git-secrets). Generally, you will either need `--scan -r .` or `--scan-history .`. The arguments default to `--scan -r .`, i.e. scanning the current state of the code.
+
+In order to enable the pre-commit hook for secret scanning (to prevent developers from committing secrets in the first place), add the following to the `.devcontainer/devcontainer.json` file:
+```json
+{
+    "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" },
+    "postAttachCommand": "docker build -f https://raw.githubusercontent.com/NHSDigital/eps-workflow-quality-checks/refs/tags/v3.0.0/dockerfiles/nhsd-git-secrets.dockerfile -t git-secrets . && pre-commit install --install-hooks -f",
+    "features": {
+      "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {
+        "version": "latest",
+        "moby": "true",
+        "installDockerBuildx": "true"
+      }
+    }
+}
+```
+And the this pre-commit hook to the `.pre-commit-config.yaml` file:
+```yaml
+repos:
+- repo: local
+  hooks:
+    - id: git-secrets
+      name: Git Secrets
+      description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories.
+      entry: bash
+      args:
+        - -c
+        - 'docker run -v "$LOCAL_WORKSPACE_FOLDER:/src" git-secrets --pre_commit_hook'
+      language: system
+```
+
 # Usage
 
 ## Inputs

dockerfiles/nhsd-git-secrets.dockerfile

@@ -0,0 +1,42 @@
+# This dockerfile allows you to run the NHS flavour of secret-scanning on the mounted directory.
+# It assumes nothing about the local filesystem, so can be built remotely by using 
+#    docker build -t git-secrets -f https://raw.githubusercontent.com/NHSDigital/eps-workflow-quality-checks/refs/tags/<VERSION>/dockerfiles/nhsd-git-secrets.dockerfile .
+# When run:
+#    docker run -v /path/to/code:/src git-secrets [ARGS]
+# It will default to scanning the local directory (note that it must be a git repository) as it currently is (no history scan).
+# However, script arguments (https://github.com/NHSDigital/software-engineering-quality-framework/blob/main/tools/nhsd-git-secrets/git-secrets)
+# can also be supplied. Remember to provide the trailing `.`, or the script would assume 
+# you want to scan STDIN.
+# The default arguments are `--scan -r .
+
+FROM ubuntu:latest
+
+RUN echo "Installing required modules"
+RUN apt-get update
+RUN apt-get -y install curl git build-essential
+
+WORKDIR /secrets-scanner
+
+RUN echo "Downloading secrets scanner"
+RUN curl https://codeload.github.com/awslabs/git-secrets/tar.gz/master | tar -xz --strip=1 git-secrets-master
+
+RUN echo "Installing secrets scanner"
+RUN make install
+
+RUN echo "Downloading regex files from engineering-framework"
+RUN curl https://codeload.github.com/NHSDigital/software-engineering-quality-framework/tar.gz/main | tar -xz --strip=3 software-engineering-quality-framework-main/tools/nhsd-git-secrets/nhsd-rules-deny.txt
+
+RUN echo '#!/usr/bin/env bash\n\
+\n\
+git config --global --add safe.directory /src\n\
+# Register additional providers: adds AWS by default \n\
+echo "Configuring secrets scanner" \n\
+/secrets-scanner/git-secrets --register-aws \n\
+/secrets-scanner/git-secrets --add-provider -- cat /secrets-scanner/nhsd-rules-deny.txt \n\
+\n\
+/secrets-scanner/git-secrets $@ \n ' >> /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+WORKDIR /src
+ENTRYPOINT [ "/entrypoint.sh" ]
+CMD [ "--scan", "-r", "." ]