From 011507b8e0db158755c0c8f75fe4aa3cad0f9b23 Mon Sep 17 00:00:00 2001 From: Daniel Inge Date: Fri, 1 Sep 2023 23:08:38 +0100 Subject: [PATCH] Small fixes --- .gitignore | 1 + .../services/GithubSecretScanning/helper.ts | 2 +- .../githubScanFullRepository.ts | 106 +++++++++--------- 3 files changed, 54 insertions(+), 55 deletions(-) diff --git a/.gitignore b/.gitignore index db04f4ec22..b73370789f 100644 --- a/.gitignore +++ b/.gitignore @@ -57,3 +57,4 @@ yarn-error.log* # Infisical init .infisical.json +.vscode \ No newline at end of file diff --git a/backend/src/ee/services/GithubSecretScanning/helper.ts b/backend/src/ee/services/GithubSecretScanning/helper.ts index 021de6cf7c..3dc46d8359 100644 --- a/backend/src/ee/services/GithubSecretScanning/helper.ts +++ b/backend/src/ee/services/GithubSecretScanning/helper.ts @@ -4,7 +4,7 @@ import { tmpdir } from "os"; import { join } from "path" import { SecretMatch } from "./types"; -export async function scanFullContentAndGetFindings(octokit: any, installationId: number, repositoryFullName: string): Promise { +export async function scanFullRepoContentAndGetFindings(octokit: any, installationId: number, repositoryFullName: string): Promise { const tempFolder = await createTempFolder(); const findingsPath = join(tempFolder, "findings.json"); const repoPath = join(tempFolder, "repo.git") diff --git a/backend/src/queues/secret-scanning/githubScanFullRepository.ts b/backend/src/queues/secret-scanning/githubScanFullRepository.ts index bd464369ac..61d53acbb2 100644 --- a/backend/src/queues/secret-scanning/githubScanFullRepository.ts +++ b/backend/src/queues/secret-scanning/githubScanFullRepository.ts @@ -5,7 +5,7 @@ import { sendMail } from "../../helpers"; import GitRisks from "../../ee/models/gitRisks"; import { MembershipOrg, User } from "../../models"; import { ADMIN, OWNER } from "../../variables"; -import { convertKeysToLowercase, scanFullContentAndGetFindings } from "../../ee/services/GithubSecretScanning/helper"; +import { convertKeysToLowercase, scanFullRepoContentAndGetFindings } from "../../ee/services/GithubSecretScanning/helper"; import { getSecretScanningGitAppId, getSecretScanningPrivateKey } from "../../config"; import { SecretMatch } from "../../ee/services/GithubSecretScanning/types"; @@ -22,72 +22,70 @@ type TScanPushEventQueueDetails = { githubFullRepositorySecretScan.process(async (job: Job, done: Queue.DoneCallback) => { const { organizationId, repository, installationId }: TScanPushEventQueueDetails = job.data - const octokit = new ProbotOctokit({ - auth: { - appId: await getSecretScanningGitAppId(), - privateKey: await getSecretScanningPrivateKey(), - installationId: installationId - }, - }); -try { - const findings : SecretMatch[] = await scanFullContentAndGetFindings(octokit, installationId, repository.fullName) - - for (const finding of findings) { - await GitRisks.findOneAndUpdate({ fingerprint: finding.Fingerprint}, - { + try { + const octokit = new ProbotOctokit({ + auth: { + appId: await getSecretScanningGitAppId(), + privateKey: await getSecretScanningPrivateKey(), + installationId: installationId + }, + }); + const findings : SecretMatch[] = await scanFullRepoContentAndGetFindings(octokit, installationId, repository.fullName) + for (const finding of findings) { + await GitRisks.findOneAndUpdate({ fingerprint: finding.Fingerprint}, + { ...convertKeysToLowercase(finding), installationId: installationId, organization: organizationId, repositoryFullName: repository.fullName, repositoryId: repository.id }, { - upsert: true - }).lean() - } - - // get emails of admins - const adminsOfWork = await MembershipOrg.find({ - organization: organizationId, - $or: [ - { role: OWNER }, - { role: ADMIN } - ] - }).lean() - - const userEmails = await User.find({ - _id: { - $in: [adminsOfWork.map(orgMembership => orgMembership.user)] + upsert: true + }).lean() } - }).select("email").lean() - const usersToNotify = userEmails.map(userObject => userObject.email) + // get emails of admins + const adminsOfWork = await MembershipOrg.find({ + organization: organizationId, + $or: [ + { role: OWNER }, + { role: ADMIN } + ] + }).lean() - if (findings.length) { - await sendMail({ - template: "historicalSecretLeakIncident.handlebars", - subjectLine: `Incident alert: leaked secrets found in Github repository ${repository.fullName}`, - recipients: usersToNotify, - substitutions: { - numberOfSecrets: findings.length, + const userEmails = await User.find({ + _id: { + $in: [adminsOfWork.map(orgMembership => orgMembership.user)] } - }); - } + }).select("email").lean() - const postHogClient = await TelemetryService.getPostHogClient(); - if (postHogClient) { - postHogClient.capture({ - event: "historical cloud secret scan", - distinctId: repository.fullName, - properties: { - numberOfRisksFound: findings.length, - } - }); - } - done(null, findings) -} catch (error) { + const usersToNotify = userEmails.map(userObject => userObject.email) + + if (findings.length) { + await sendMail({ + template: "historicalSecretLeakIncident.handlebars", + subjectLine: `Incident alert: leaked secrets found in Github repository ${repository.fullName}`, + recipients: usersToNotify, + substitutions: { + numberOfSecrets: findings.length, + } + }); + } + + const postHogClient = await TelemetryService.getPostHogClient(); + if (postHogClient) { + postHogClient.capture({ + event: "historical cloud secret scan", + distinctId: repository.fullName, + properties: { + numberOfRisksFound: findings.length, + } + }); + } + done(null, findings) + } catch (error) { done(new Error(`gitHubHistoricalScanning.process: an error occurred ${error}`), null) } - }) export const scanGithubFullRepoForSecretLeaks = (pushEventPayload: TScanPushEventQueueDetails) => {