UNPKG

@onboardbase/cli

Version:

[![Version](https://img.shields.io/npm/v/@onboardbase/cli.svg)](https://www.npmjs.com/package/@onboardbase/cli) [![Downloads/week](https://img.shields.io/npm/dw/@onboardbase/cli.svg)](https://www.npmjs.com/package/@onboardbase/cli) [![License](https://img

docs.onboardbase.com

Onboardbase/onboardbase-cli-ci

98 lines (97 loc) 3.9 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.ScanCommandService = void 0; const chalk = require("chalk"); const base_service_1 = require("../common/base.service"); const access_manager_1 = require("./access-manager"); const errors_1 = require("../common/errors"); const unauthorized_error_1 = require("../common/errors/unauthorized.error"); const fs_1 = require("fs"); const glob = require("glob"); const util_1 = require("util"); const globPromisify = (0, util_1.promisify)(glob); class ScanCommandService extends base_service_1.BaseService { constructor(configManager) { super(configManager); this.accessManager = new access_manager_1.AccessManager(configManager); } async initialize({ args, flags }) { const { accessToken } = await this.accessManager.getAuthInfoFromDeviceToken(this.getConfigForCurrentScope("token")); const user = await this.httpInstance.getCurrentUser(accessToken); const paymentTier = user.defaultTeam.paymentTier; if (paymentTier.tier === "FREE" || paymentTier.tier === "STARTUP") { throw new unauthorized_error_1.UnauthorizedError("Sorry, you cannnot scan for secrets. Please upgrade to a higher tier or contact an admin."); } const scanConfig = this._getFromProjectConfigOrThrow({ configPath: "scan", userConfig: undefined, }); if (scanConfig && !Array.isArray(scanConfig.for)) { throw new errors_1.BadConfigError("onboardbase.yml scan.for step has to be an array"); } const popularSecretKeys = [ "DIGITALOCEAN", "AWS", "GOOGLE", "AZURE", "REDIS", "POSTGRES", "MONGO", "VAULT", "GCP", "TWILLIO", "DIALOGFLOW", "ONBOARDBASE", "JWT", "DATABASE", "SENDGRID", "VERCEL", "NETLIFY", "HEROKU", "SLACK", "SECRET", "DATABASE", "GITHUB", "NPM_TOKEN", "MYSQL", "MCLI_PUBLIC_API_KEY", "MCLI_PRIVATE_API_KEY", "MCLI_ORG_ID", "MCLI_PROJECT_ID", "MCLI_OPS_MANAGER_URL", "MSSQL", "ORACLE", ...(scanConfig.for || []), ]; const modifiedSecrets = Array.from(new Set(popularSecretKeys)).map((secret) => secret.toUpperCase()); const secretTypes = [".aws/credentials", ".env"]; const filesToScan = []; await Promise.all(secretTypes.map(async (secretType) => { const files = await globPromisify(`${secretType}**`); filesToScan.push(...files); })); const errorMessages = []; const validSecretRegex = /[A-Z]+(?:_[A-Z0-9]+)*\ *?=\ *?"?'?\w+"?'?/; filesToScan.map((file) => { const fileContent = (0, fs_1.readFileSync)(file, { encoding: "utf8" }).split("\n"); fileContent.map((secret) => { if (validSecretRegex.exec(secret)) { modifiedSecrets.map((popularSecret) => { const secretKey = popularSecret.split("=")[0]; const regex = RegExp(`^${secretKey}+`); const secretMatch = regex.test(secret); if (secretMatch) errorMessages.push(`${secret} found in ${file}`); }); } }); }); if (errorMessages.length) { console.log(`Found ${chalk.greenBright(errorMessages.length)} secrets while scanning secrets`, errorMessages); } else { console.log("No environment variables found"); } } } exports.ScanCommandService = ScanCommandService;