aws
diff --git a/‎.gitallowed‎
Lines changed: 36 additions & 0 deletions b/‎.gitallowed‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎.projen/tasks.json‎
Lines changed: 11 additions & 0 deletions b/‎.projen/tasks.json‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎.projenrc.ts‎
Lines changed: 13 additions & 0 deletions b/‎.projenrc.ts‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎package.json‎
Lines changed: 1 addition & 0 deletions b/‎package.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎projenrc/git-secrets-scan.sh‎
Lines changed: 30 additions & 0 deletions b/‎projenrc/git-secrets-scan.sh‎
Lines changed: 30 additions & 0 deletions
@@ -0,0 +1,36 @@
+# The only AWS account number allowed to be used in tests (used by git-secrets)
+account: '123456789012'
+account='123456789012'
+
+# account used for cross-environment tests in addition to the one above
+account: '234567890123'
+# Account patterns used in the README
+account: '000000000000'
+account: '111111111111'
+account: '222222222222'
+account: '333333333333'
+
+# used in physical names tests in @aws-cdk/core
+account: '012345678912'
+account: '012345678913'
+
+# The account ID's of public facing ECR images for App Mesh Envoy
+# https://docs.aws.amazon.com/app-mesh/latest/userguide/envoy.html
+account: '772975370895'
+account: '856666278305'
+account: '840364872350'
+account: '422531588944'
+account: '924023996002'
+account: '919366029133' #cn-north-1
+account: '919830735681' #cn-northwest-1
+account: '909464085924' #ap-southeast-3
+account: '564877687649' #il-central-1
+
+# The account IDs of password rotation applications of Serverless Application Repository
+# https://docs.aws.amazon.com/secretsmanager/latest/userguide/enable-rotation-rds.html
+# partition aws
+account: '297356227824'
+# partition aws-cn
+account: '193023089310'
+# partition aws-us-gov
+account: '023102451235'
@@ -211,6 +211,7 @@ const repoProject = new yarn.Monorepo({
       },
     },
   },
+
   buildWorkflowOptions: {
     preBuildSteps: [
       // Need this for the init tests
@@ -237,11 +238,23 @@ repoProject.eslint = new pj.javascript.Eslint(repoProject, {
   fileExtensions: ['.ts', '.tsx'],
   lintProjenRc: false,
 });
+
 // always lint projen files as part of the build
 if (repoProject.eslint?.eslintTask) {
   repoProject.tasks.tryFind('build')?.spawn(repoProject.eslint?.eslintTask);
 }
 
+// always scan for git secrets before building
+const gitSecretsScan = repoProject.addTask('git-secrets-scan', {
+  steps: [
+    {
+      exec: '/bin/bash ./projenrc/git-secrets-scan.sh',
+    },
+  ],
+});
+
+repoProject.tasks.tryFind('build')?.prependSpawn(gitSecretsScan);
+
 new AdcPublishing(repoProject);
 
 const repo = configureProject(repoProject);
 
@@ -0,0 +1,30 @@
+#!/bin/bash
+set -euo pipefail
+
+mkdir -p .tools
+[[ ! -d .tools/git-secrets ]] && {
+    echo "============================================================================================="
+    echo "Downloading git-secrets..."
+    (cd .tools && git clone --depth 1 https://github.com/awslabs/git-secrets.git)
+}
+
+# As the name implies, git-secrets heavily depends on git:
+#
+# a) the config is stored and fetched using 'git config'.
+# b) the search is performed using 'git grep' (other search methods don't work
+#    properly, see https://github.com/awslabs/git-secrets/issues/66)
+#
+# When we run in a CodeBuild build, we don't have a git repo, unfortunately. So
+# when that's the case, 'git init' one on the spot, add all files to it (which
+# because of the .gitignore will exclude dependencies and generated files) and
+# then call 'git-secrets' as usual.
+git rev-parse --git-dir > /dev/null 2>&1 || {
+    git init --quiet
+    git add -A .
+}
+
+# AWS config needs to be added to this repository's config
+.tools/git-secrets/git-secrets --register-aws
+
+.tools/git-secrets/git-secrets --scan
+echo "git-secrets scan ok"