From eafb87f415a14ce300e747ebf1e7046ac3cfa474 Mon Sep 17 00:00:00 2001
From: Sven Dolderer <sven.dolderer@mercedes-benz.com>
Date: Wed, 21 Aug 2024 14:39:21 +0200
Subject: [PATCH] secret validation made configurable #3365

---
 .../gitleaks/docker/scripts/gitleaks.sh       | 46 ++++++++++---------
 .../pds-gitleaks/templates/deployment.yaml    |  4 ++
 .../gitleaks/helm/pds-gitleaks/values.yaml    |  1 +
 3 files changed, 29 insertions(+), 22 deletions(-)

diff --git a/sechub-pds-solutions/gitleaks/docker/scripts/gitleaks.sh b/sechub-pds-solutions/gitleaks/docker/scripts/gitleaks.sh
index 280abf2c0d..556c8658b1 100755
--- a/sechub-pds-solutions/gitleaks/docker/scripts/gitleaks.sh
+++ b/sechub-pds-solutions/gitleaks/docker/scripts/gitleaks.sh
@@ -4,12 +4,12 @@
 declare -r secretvalidation_wrapper="$TOOL_FOLDER/sechub-wrapper-secretvalidation.jar"
 
 if [[ "$PDS_INTEGRATIONTEST_ENABLED" = "true" ]] ; then
-    echo "Integrationtest will be performed. Gitleaks will not be executed."
-    
-    # Execute the wrapper using the 'integrationtest' profile
-    java -jar "-Dspring.profiles.active=integrationtest" "$secretvalidation_wrapper"
-    
-    exit $?
+  echo "Integrationtest will be performed. Gitleaks will not be executed."
+  
+  # Execute the wrapper using the 'integrationtest' profile
+  java -jar "-Dspring.profiles.active=integrationtest" "$secretvalidation_wrapper"
+  
+  exit $?
 fi
 
 PATH+=":$TOOL_FOLDER/gitleaks"
@@ -28,33 +28,35 @@ gitleaks_options="--log-level debug --config $TOOL_FOLDER/custom-gitleaks.toml -
 
 # If the history scan was disabled, a normal filesystem scan is performed.
 if [ "$GITLEAKS_HISTORY_SCAN_ENABLED" = "false" ] ; then
-    gitleaks_options="$gitleaks_options --no-git"
-    echo "History scan was disabled by an administrator. A secret scan on the filesystem without history deepscan will be done instead." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/history-scan-disabled.txt
-    
+  gitleaks_options="$gitleaks_options --no-git"
+  echo "History scan was disabled by an administrator. A secret scan on the filesystem without history deepscan will be done instead." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/history-scan-disabled.txt
+  
 # If no '.git' directory was found we cannot scan the git history
 elif [ -z "$git_directory" ] ; then
-    gitleaks_options="$gitleaks_options --no-git"
-    echo "No .git folder was uploaded for the secret scan. A secret scan on the filesystem without history deepscan will be done instead." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/no-git.txt
+  gitleaks_options="$gitleaks_options --no-git"
+  echo "No .git folder was uploaded for the secret scan. A secret scan on the filesystem without history deepscan will be done instead." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/no-git.txt
 
 # If the value of 'git_directory' is not a valid directory there is more than a single result of the find command
 elif [ ! -d "$git_directory" ] ; then
-    gitleaks_options="$gitleaks_options --no-git"
-    echo "Multiple .git folders were uploaded for the secret scan. This is not supported. A secret scan on the filesystem without history deepscan will be done instead." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/multiple-git.txt
+  gitleaks_options="$gitleaks_options --no-git"
+  echo "Multiple .git folders were uploaded for the secret scan. This is not supported. A secret scan on the filesystem without history deepscan will be done instead." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/multiple-git.txt
 
 # If exactly one '.git' directory was found we scan the git history
 else
-    scan_target_directory="$repository_root_directory"
-    echo ".git folder was uploaded for the secret scan. Perform secret scan with history deepscan." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/history-scan.txt
+  scan_target_directory="$repository_root_directory"
+  echo ".git folder was uploaded for the secret scan. Perform secret scan with history deepscan." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/history-scan.txt
 fi
 
 echo "### Running Gitleaks"
 cd "$scan_target_directory"
 gitleaks detect $gitleaks_options
 
-# Secret-Validation Wrapper
-## Define config file
-export SECRET_VALIDATOR_CONFIGFILE="$TOOL_FOLDER"/sechub-wrapper-secretvalidation-config.json
-echo "### Calling Secret-Validation Wrapper"
-java -Dhttp.proxyHost="$SECRET_VALIDATOR_PROXY_HOST" -Dhttp.proxyPort="$SECRET_VALIDATOR_PROXY_PORT" \
-     -Dhttps.proxyHost="$SECRET_VALIDATOR_PROXY_HOST" -Dhttps.proxyPort="$SECRET_VALIDATOR_PROXY_PORT" \
-     -jar "$TOOL_FOLDER"/sechub-wrapper-secretvalidation.jar
+# Secret-Validation
+if [ "$SECRET_VALIDATOR_ENABLED" = "true" ] ; then
+  ## Define config file
+  export SECRET_VALIDATOR_CONFIGFILE="$TOOL_FOLDER"/sechub-wrapper-secretvalidation-config.json
+  echo "### Calling Secret-Validation Wrapper"
+  java -Dhttp.proxyHost="$SECRET_VALIDATOR_PROXY_HOST" -Dhttp.proxyPort="$SECRET_VALIDATOR_PROXY_PORT" \
+       -Dhttps.proxyHost="$SECRET_VALIDATOR_PROXY_HOST" -Dhttps.proxyPort="$SECRET_VALIDATOR_PROXY_PORT" \
+       -jar "$TOOL_FOLDER"/sechub-wrapper-secretvalidation.jar
+fi
diff --git a/sechub-pds-solutions/gitleaks/helm/pds-gitleaks/templates/deployment.yaml b/sechub-pds-solutions/gitleaks/helm/pds-gitleaks/templates/deployment.yaml
index 2134fec5a7..f78c56d9b3 100644
--- a/sechub-pds-solutions/gitleaks/helm/pds-gitleaks/templates/deployment.yaml
+++ b/sechub-pds-solutions/gitleaks/helm/pds-gitleaks/templates/deployment.yaml
@@ -63,12 +63,16 @@ spec:
               value: "{{ .Values.pds.encryption.secretKey }}"
             - name: PDS_HEARTBEAT_LOGGING
               value: "{{ .Values.pds.heartbeatLogging }}"
+{{- if .Values.secretvalidation.enabled }}
+            - name: SECRET_VALIDATOR_ENABLED
+              value: "true"
             - name: SECRET_VALIDATOR_TRUSTALLCERTIFICATES
               value: "{{ .Values.secretvalidation.ssl.trustallcertificates }}"
             - name: SECRET_VALIDATOR_PROXY_HOST
               value: "{{ .Values.secretvalidation.proxy.host }}"
             - name: SECRET_VALIDATOR_PROXY_PORT
               value: "{{ .Values.secretvalidation.proxy.port }}"
+{{- end }}
 {{- if .Values.deploymentComment }}
             # Setting DEPLOYMENT_COMMENT to a different value every time forces k8s to spin up a new container.
             # This way, you can force deployments e.g. when secrets have changed.
diff --git a/sechub-pds-solutions/gitleaks/helm/pds-gitleaks/values.yaml b/sechub-pds-solutions/gitleaks/helm/pds-gitleaks/values.yaml
index caff6db716..47c469aaf5 100644
--- a/sechub-pds-solutions/gitleaks/helm/pds-gitleaks/values.yaml
+++ b/sechub-pds-solutions/gitleaks/helm/pds-gitleaks/values.yaml
@@ -24,6 +24,7 @@ resources:
 
 # Settings for the secret-validation wrapper:
 secretvalidation:
+  enabled: true
   ssl:
     # Whether to trust all certificates
     trustallcertificates: false