secret validation made configurable #3365

sechub-pds-solutions/gitleaks/docker/scripts/gitleaks.sh

@@ -4,12 +4,12 @@
 declare -r secretvalidation_wrapper="$TOOL_FOLDER/sechub-wrapper-secretvalidation.jar"
 
 if [[ "$PDS_INTEGRATIONTEST_ENABLED" = "true" ]] ; then
-    echo "Integrationtest will be performed. Gitleaks will not be executed."
-    
-    # Execute the wrapper using the 'integrationtest' profile
-    java -jar "-Dspring.profiles.active=integrationtest" "$secretvalidation_wrapper"
-    
-    exit $?
+  echo "Integrationtest will be performed. Gitleaks will not be executed."
+
+  # Execute the wrapper using the 'integrationtest' profile
+  java -jar "-Dspring.profiles.active=integrationtest" "$secretvalidation_wrapper"
+
+  exit $?
 fi
 
 PATH+=":$TOOL_FOLDER/gitleaks"
@@ -28,33 +28,35 @@ gitleaks_options="--log-level debug --config $TOOL_FOLDER/custom-gitleaks.toml -
 
 # If the history scan was disabled, a normal filesystem scan is performed.
 if [ "$GITLEAKS_HISTORY_SCAN_ENABLED" = "false" ] ; then
-    gitleaks_options="$gitleaks_options --no-git"
-    echo "History scan was disabled by an administrator. A secret scan on the filesystem without history deepscan will be done instead." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/history-scan-disabled.txt
-    
+  gitleaks_options="$gitleaks_options --no-git"
+  echo "History scan was disabled by an administrator. A secret scan on the filesystem without history deepscan will be done instead." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/history-scan-disabled.txt
+
 # If no '.git' directory was found we cannot scan the git history
 elif [ -z "$git_directory" ] ; then
-    gitleaks_options="$gitleaks_options --no-git"
-    echo "No .git folder was uploaded for the secret scan. A secret scan on the filesystem without history deepscan will be done instead." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/no-git.txt
+  gitleaks_options="$gitleaks_options --no-git"
+  echo "No .git folder was uploaded for the secret scan. A secret scan on the filesystem without history deepscan will be done instead." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/no-git.txt
 
 # If the value of 'git_directory' is not a valid directory there is more than a single result of the find command
 elif [ ! -d "$git_directory" ] ; then
-    gitleaks_options="$gitleaks_options --no-git"
-    echo "Multiple .git folders were uploaded for the secret scan. This is not supported. A secret scan on the filesystem without history deepscan will be done instead." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/multiple-git.txt
+  gitleaks_options="$gitleaks_options --no-git"
+  echo "Multiple .git folders were uploaded for the secret scan. This is not supported. A secret scan on the filesystem without history deepscan will be done instead." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/multiple-git.txt
 
 # If exactly one '.git' directory was found we scan the git history
 else
-    scan_target_directory="$repository_root_directory"
-    echo ".git folder was uploaded for the secret scan. Perform secret scan with history deepscan." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/history-scan.txt
+  scan_target_directory="$repository_root_directory"
+  echo ".git folder was uploaded for the secret scan. Perform secret scan with history deepscan." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/history-scan.txt
 fi
 
 echo "### Running Gitleaks"
 cd "$scan_target_directory"
 gitleaks detect $gitleaks_options
 
-# Secret-Validation Wrapper
-## Define config file
-export SECRET_VALIDATOR_CONFIGFILE="$TOOL_FOLDER"/sechub-wrapper-secretvalidation-config.json
-echo "### Calling Secret-Validation Wrapper"
-java -Dhttp.proxyHost="$SECRET_VALIDATOR_PROXY_HOST" -Dhttp.proxyPort="$SECRET_VALIDATOR_PROXY_PORT" \
-     -Dhttps.proxyHost="$SECRET_VALIDATOR_PROXY_HOST" -Dhttps.proxyPort="$SECRET_VALIDATOR_PROXY_PORT" \
-     -jar "$TOOL_FOLDER"/sechub-wrapper-secretvalidation.jar
+# Secret-Validation
+if [ "$SECRET_VALIDATOR_ENABLED" = "true" ] ; then
+  ## Define config file
+  export SECRET_VALIDATOR_CONFIGFILE="$TOOL_FOLDER"/sechub-wrapper-secretvalidation-config.json
+  echo "### Calling Secret-Validation Wrapper"
+  java -Dhttp.proxyHost="$SECRET_VALIDATOR_PROXY_HOST" -Dhttp.proxyPort="$SECRET_VALIDATOR_PROXY_PORT" \
+       -Dhttps.proxyHost="$SECRET_VALIDATOR_PROXY_HOST" -Dhttps.proxyPort="$SECRET_VALIDATOR_PROXY_PORT" \
+       -jar "$TOOL_FOLDER"/sechub-wrapper-secretvalidation.jar
+fi

sechub-pds-solutions/gitleaks/helm/pds-gitleaks/templates/deployment.yaml

@@ -63,12 +63,16 @@ spec:
               value: "{{ .Values.pds.encryption.secretKey }}"
             - name: PDS_HEARTBEAT_LOGGING
               value: "{{ .Values.pds.heartbeatLogging }}"
+{{- if .Values.secretvalidation.enabled }}
+            - name: SECRET_VALIDATOR_ENABLED
+              value: "true"
             - name: SECRET_VALIDATOR_TRUSTALLCERTIFICATES
               value: "{{ .Values.secretvalidation.ssl.trustallcertificates }}"
             - name: SECRET_VALIDATOR_PROXY_HOST
               value: "{{ .Values.secretvalidation.proxy.host }}"
             - name: SECRET_VALIDATOR_PROXY_PORT
               value: "{{ .Values.secretvalidation.proxy.port }}"
+{{- end }}
 {{- if .Values.deploymentComment }}
             # Setting DEPLOYMENT_COMMENT to a different value every time forces k8s to spin up a new container.
             # This way, you can force deployments e.g. when secrets have changed.

sechub-pds-solutions/gitleaks/helm/pds-gitleaks/values.yaml

@@ -24,6 +24,7 @@ resources:
 
 # Settings for the secret-validation wrapper:
 secretvalidation:
+  enabled: true
   ssl:
     # Whether to trust all certificates
     trustallcertificates: false