-
Notifications
You must be signed in to change notification settings - Fork 29
/
yelp_detectsecrets-pipeline.yml
97 lines (83 loc) · 2.99 KB
/
yelp_detectsecrets-pipeline.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
trigger: none
pr: none
stages:
- stage: yelpdetectsecrets
displayName: Yelp detect-secrets
jobs:
- job: ubuntu
displayName: "detect-secrets on Ubuntu Linux agent"
pool:
vmImage: ubuntu-latest
steps:
- task: UsePythonVersion@0
displayName: "Set Python 3 as default"
inputs:
versionSpec: "3"
addToPath: true
architecture: "x64"
- bash: pip install detect-secrets
displayName: "Install detect-secrets using pip"
- bash: |
detect-secrets --version
detect-secrets scan \
--all-files \
--force-use-all-plugins \
--exclude-files FETCH_HEAD > $(Pipeline.Workspace)/detect-secrets.json
displayName: "Run detect-secrets tool"
- task: PublishPipelineArtifact@1
displayName: "Publish results in the Pipeline Artifact"
inputs:
targetPath: "$(Pipeline.Workspace)/detect-secrets.json"
artifact: "detect-secrets-ubuntu"
publishLocation: "pipeline"
- bash: |
dsjson=$(cat $(Pipeline.Workspace)/detect-secrets.json)
echo "${dsjson}"
count=$(echo "${dsjson}" | jq -c -r '.results | length')
if [ $count -gt 0 ]; then
msg="Secrets were detected in code. ${count} file(s) affected."
echo "##vso[task.logissue type=error]${msg}"
echo "##vso[task.complete result=Failed;]${msg}."
else
echo "##vso[task.complete result=Succeeded;]No secrets detected."
fi
displayName: "Analyzing detect-secrets results"
- job: windows
displayName: "detect-secrets on Windows agent"
pool:
vmImage: windows-latest
steps:
- task: UsePythonVersion@0
displayName: "Set Python 3 as default"
inputs:
versionSpec: "3"
addToPath: true
architecture: "x64"
- script: pip install detect-secrets==1.0.3
displayName: "Install detect-secrets using pip"
- script: |
detect-secrets --version
detect-secrets scan \
--all-files \
--force-use-all-plugins > $(Pipeline.Workspace)/detect-secrets.json
displayName: "Run detect-secrets tool"
- task: PublishPipelineArtifact@1
displayName: "Publish results in the Pipeline Artifact"
inputs:
targetPath: "$(Pipeline.Workspace)/detect-secrets.json"
artifact: "detect-secrets-windows"
publishLocation: "pipeline"
- pwsh: |
$dsjson = Get-Content $(Pipeline.Workspace)/detect-secrets.json
Write-Output $dsjson
$dsObj = $dsjson | ConvertFrom-Json
$count = ($dsObj.results | Get-Member -MemberType NoteProperty).Count
if ($count -gt 0) {
$msg = "Secrets were detected in code. $count file(s) affected. "
Write-Host "##vso[task.logissue type=error]$msg"
Write-Host "##vso[task.complete result=Failed;]$msg"
}
else {
Write-Host "##vso[task.complete result=Succeeded;]No secrets detected."
}
displayName: "Analyzing detect-secrets results"