From 4a9ec7b4964289ded11bc20964ce93edac45414c Mon Sep 17 00:00:00 2001 From: Ben de Haan <53901866+bendehaan@users.noreply.github.com> Date: Tue, 21 Feb 2023 14:24:16 +0100 Subject: [PATCH 1/3] feat: add commitlint --- .github/dependabot.yml | 8 ++- .gitignore | 2 + .pre-commit-config.yaml | 5 ++ commitlint.config.js | 6 ++ package-lock.json | 156 ++++++++++++++++++++++++++++++++++++++++ package.json | 5 ++ 6 files changed, 181 insertions(+), 1 deletion(-) create mode 100644 commitlint.config.js create mode 100644 package-lock.json create mode 100644 package.json diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e7bee8edf..4d0be08a8 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -18,12 +18,18 @@ updates: schedule: interval: "monthly" - # check our npm + # check our npm in project - package-ecosystem: "npm" directory: "/js" schedule: interval: "monthly" + # check our npm for dev + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "monthly" + # Check our tf -aws - package-ecosystem: "terraform" directory: "/aws" diff --git a/.gitignore b/.gitignore index 64bfa0f4d..ff81b8cf1 100644 --- a/.gitignore +++ b/.gitignore @@ -69,3 +69,5 @@ azure/k8s/pod-id.yml # Node JS js/node/ js/node_modules/ +node_modules +.npm diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f3ccc2e95..a9e8ea8d0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -27,3 +27,8 @@ repos: - "--args=--only=terraform_standard_module_structure" - "--args=--only=terraform_workspace_remote" - id: terraform_docs + - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook + rev: v9.4.0 + hooks: + - id: commitlint + stages: [commit-msg] diff --git a/commitlint.config.js b/commitlint.config.js new file mode 100644 index 000000000..178dc8b91 --- /dev/null +++ b/commitlint.config.js @@ -0,0 +1,6 @@ +// commitlint.config.js +module.exports = { + extends: [ + "@commitlint/config-conventional", // scoped packages are not prefixed + ], +}; diff --git a/package-lock.json b/package-lock.json new file mode 100644 index 000000000..f3d78f109 --- /dev/null +++ b/package-lock.json @@ -0,0 +1,156 @@ +{ + "name": "wrongsecrets", + "lockfileVersion": 2, + "requires": true, + "packages": { + "": { + "devDependencies": { + "@commitlint/config-conventional": "^17.4.4" + } + }, + "node_modules/@commitlint/config-conventional": { + "version": "17.4.4", + "resolved": "https://registry.npmjs.org/@commitlint/config-conventional/-/config-conventional-17.4.4.tgz", + "integrity": "sha512-u6ztvxqzi6NuhrcEDR7a+z0yrh11elY66nRrQIpqsqW6sZmpxYkDLtpRH8jRML+mmxYQ8s4qqF06Q/IQx5aJeQ==", + "dev": true, + "dependencies": { + "conventional-changelog-conventionalcommits": "^5.0.0" + }, + "engines": { + "node": ">=v14" + } + }, + "node_modules/array-ify": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/array-ify/-/array-ify-1.0.0.tgz", + "integrity": "sha512-c5AMf34bKdvPhQ7tBGhqkgKNUzMr4WUs+WDtC2ZUGOUncbxKMTvqxYctiseW3+L4bA8ec+GcZ6/A/FW4m8ukng==", + "dev": true + }, + "node_modules/compare-func": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/compare-func/-/compare-func-2.0.0.tgz", + "integrity": "sha512-zHig5N+tPWARooBnb0Zx1MFcdfpyJrfTJ3Y5L+IFvUm8rM74hHz66z0gw0x4tijh5CorKkKUCnW82R2vmpeCRA==", + "dev": true, + "dependencies": { + "array-ify": "^1.0.0", + "dot-prop": "^5.1.0" + } + }, + "node_modules/conventional-changelog-conventionalcommits": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/conventional-changelog-conventionalcommits/-/conventional-changelog-conventionalcommits-5.0.0.tgz", + "integrity": "sha512-lCDbA+ZqVFQGUj7h9QBKoIpLhl8iihkO0nCTyRNzuXtcd7ubODpYB04IFy31JloiJgG0Uovu8ot8oxRzn7Nwtw==", + "dev": true, + "dependencies": { + "compare-func": "^2.0.0", + "lodash": "^4.17.15", + "q": "^1.5.1" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/dot-prop": { + "version": "5.3.0", + "resolved": "https://registry.npmjs.org/dot-prop/-/dot-prop-5.3.0.tgz", + "integrity": "sha512-QM8q3zDe58hqUqjraQOmzZ1LIH9SWQJTlEKCH4kJ2oQvLZk7RbQXvtDM2XEq3fwkV9CCvvH4LA0AV+ogFsBM2Q==", + "dev": true, + "dependencies": { + "is-obj": "^2.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/is-obj": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/is-obj/-/is-obj-2.0.0.tgz", + "integrity": "sha512-drqDG3cbczxxEJRoOXcOjtdp1J/lyp1mNn0xaznRs8+muBhgQcrnbspox5X5fOw0HnMnbfDzvnEMEtqDEJEo8w==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/lodash": { + "version": "4.17.21", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", + "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", + "dev": true + }, + "node_modules/q": { + "version": "1.5.1", + "resolved": "https://registry.npmjs.org/q/-/q-1.5.1.tgz", + "integrity": "sha512-kV/CThkXo6xyFEZUugw/+pIOywXcDbFYgSct5cT3gqlbkBE1SJdwy6UQoZvodiWF/ckQLZyDE/Bu1M6gVu5lVw==", + "dev": true, + "engines": { + "node": ">=0.6.0", + "teleport": ">=0.2.0" + } + } + }, + "dependencies": { + "@commitlint/config-conventional": { + "version": "17.4.4", + "resolved": "https://registry.npmjs.org/@commitlint/config-conventional/-/config-conventional-17.4.4.tgz", + "integrity": "sha512-u6ztvxqzi6NuhrcEDR7a+z0yrh11elY66nRrQIpqsqW6sZmpxYkDLtpRH8jRML+mmxYQ8s4qqF06Q/IQx5aJeQ==", + "dev": true, + "requires": { + "conventional-changelog-conventionalcommits": "^5.0.0" + } + }, + "array-ify": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/array-ify/-/array-ify-1.0.0.tgz", + "integrity": "sha512-c5AMf34bKdvPhQ7tBGhqkgKNUzMr4WUs+WDtC2ZUGOUncbxKMTvqxYctiseW3+L4bA8ec+GcZ6/A/FW4m8ukng==", + "dev": true + }, + "compare-func": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/compare-func/-/compare-func-2.0.0.tgz", + "integrity": "sha512-zHig5N+tPWARooBnb0Zx1MFcdfpyJrfTJ3Y5L+IFvUm8rM74hHz66z0gw0x4tijh5CorKkKUCnW82R2vmpeCRA==", + "dev": true, + "requires": { + "array-ify": "^1.0.0", + "dot-prop": "^5.1.0" + } + }, + "conventional-changelog-conventionalcommits": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/conventional-changelog-conventionalcommits/-/conventional-changelog-conventionalcommits-5.0.0.tgz", + "integrity": "sha512-lCDbA+ZqVFQGUj7h9QBKoIpLhl8iihkO0nCTyRNzuXtcd7ubODpYB04IFy31JloiJgG0Uovu8ot8oxRzn7Nwtw==", + "dev": true, + "requires": { + "compare-func": "^2.0.0", + "lodash": "^4.17.15", + "q": "^1.5.1" + } + }, + "dot-prop": { + "version": "5.3.0", + "resolved": "https://registry.npmjs.org/dot-prop/-/dot-prop-5.3.0.tgz", + "integrity": "sha512-QM8q3zDe58hqUqjraQOmzZ1LIH9SWQJTlEKCH4kJ2oQvLZk7RbQXvtDM2XEq3fwkV9CCvvH4LA0AV+ogFsBM2Q==", + "dev": true, + "requires": { + "is-obj": "^2.0.0" + } + }, + "is-obj": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/is-obj/-/is-obj-2.0.0.tgz", + "integrity": "sha512-drqDG3cbczxxEJRoOXcOjtdp1J/lyp1mNn0xaznRs8+muBhgQcrnbspox5X5fOw0HnMnbfDzvnEMEtqDEJEo8w==", + "dev": true + }, + "lodash": { + "version": "4.17.21", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", + "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", + "dev": true + }, + "q": { + "version": "1.5.1", + "resolved": "https://registry.npmjs.org/q/-/q-1.5.1.tgz", + "integrity": "sha512-kV/CThkXo6xyFEZUugw/+pIOywXcDbFYgSct5cT3gqlbkBE1SJdwy6UQoZvodiWF/ckQLZyDE/Bu1M6gVu5lVw==", + "dev": true + } + } +} diff --git a/package.json b/package.json new file mode 100644 index 000000000..b75b2145e --- /dev/null +++ b/package.json @@ -0,0 +1,5 @@ +{ + "devDependencies": { + "@commitlint/config-conventional": "^17.4.4" + } +} From b058d04af95d9862f92225473a10de766b57316f Mon Sep 17 00:00:00 2001 From: Ben de Haan <53901866+bendehaan@users.noreply.github.com> Date: Wed, 22 Feb 2023 08:51:05 +0100 Subject: [PATCH 2/3] fix: add documentation on commitlint --- CONTRIBUTING.md | 16 ++--- README.md | 156 ++++++++++++++++++++++++------------------------ 2 files changed, 87 insertions(+), 85 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index ebb6c7175..e3fffa0d4 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -40,8 +40,8 @@ Pull requests should be as small/atomic as possible. Large, wide-sweeping change ### Write a good commit message -- Explain why you make the changes. [More infos about a good commit message.](https://betterprogramming.pub/stop-writing-bad-commit-messages-8df79517177d) - +- Make sure your commit message passes the [conventional commit standards](https://www.conventionalcommits.org/en/v1.0.0/) +- Explain why you make the changes. [More info about a good commit message.](https://betterprogramming.pub/stop-writing-bad-commit-messages-8df79517177d) - If you fix an issue with your commit, please close the issue by [adding one of the keywords and the issue number](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue) to your commit message. For example: `Fix #545` or `Closes #10` @@ -70,12 +70,14 @@ Pull requests should be as small/atomic as possible. Large, wide-sweeping change See also the GitHub documentation on "[Configuring a remote for a fork](https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/configuring-a-remote-for-a-fork "Configuring a remote for a fork")". 5. Choose what to work on, based on any of the outstanding [issues](https://github.com/OWASP/wrongsecrets/issues "WrongSecrets Issues"). -6. Create a branch so that you can cleanly work on the chosen issue: `git checkout -b FixingIssue66` +6. Create a branch so that you can cleanly work on the chosen issue: `git checkout -b fix/Issue66` 7. Open your favorite editor and start making modifications. We recommend using the [IntelliJ Idea](https://www.jetbrains.com/idea/). -8. After your modifications are done, push them to your forked repository. This can be done by executing the command `git add MYFILE` for every file you have modified, followed by `git commit -m 'your commit message here'` to commit the modifications and `git push` to push your modifications to GitHub. -9. Create a Pull Request (PR) by going to your fork, and click on the "New Pull Request" button. The target branch should typically be the Master branch. When submitting a PR, be sure to follow the checklist that is provided in the PR template. The checklist itself will be filled out by the reviewer. -10. Your PR will be reviewed and comments may be given. In order to process a comment, simply make modifications to the same branch as before and push them to your repository. GitHub will automatically detect these changes and add them to your existing PR. -11. When starting on a new PR in the future, make sure to always keep your local repo up to date: +8. Install [pre-commit](https://pre-commit.com/#install) the dependencies for our pre-commit configuration to make sure your code complies with standards used in the project. This requires terraform, [terraform-docs](https://github.com/terraform-docs/terraform-docs#installation), [tflint](https://github.com/terraform-linters/tflint#installation), and [commitlint](https://commitlint.js.org/#/guides-local-setup). For commitlint, you can use `npm install` in the root folder of this project. +9. Install the pre-commit hook using `pre-commit install --hook-type commit-msg`. We recommend to run `pre-commit run -a` every so often if you're working on a bigger change. +10. After your modifications are done, push them to your forked repository. This can be done by executing the command `git add MYFILE` for every file you have modified, followed by `git commit -m 'your commit message here'` to commit the modifications and `git push` to push your modifications to GitHub. +11. Create a Pull Request (PR) by going to your fork, and click on the "New Pull Request" button. The target branch should typically be the Master branch. When submitting a PR, be sure to follow the checklist that is provided in the PR template. The checklist itself will be filled out by the reviewer. +12. Your PR will be reviewed and comments may be given. In order to process a comment, simply make modifications to the same branch as before and push them to your repository. GitHub will automatically detect these changes and add them to your existing PR. +13. When starting on a new PR in the future, make sure to always keep your local repo up to date: ```bash git fetch upstream diff --git a/README.md b/README.md index b63f1545d..023849522 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,7 @@ Can you solve all the 27 challenges? ![screenshotOfChallenge1](/images/screenshot.png) + ## Support Need support? Contact us @@ -30,8 +31,8 @@ _Can be used for challenges 1-4, 8, 12-27_ For the basic docker exercises you currently require: -- Docker [Install from here](https://docs.docker.com/get-docker/) -- Some Browser that can render HTML +- Docker [Install from here](https://docs.docker.com/get-docker/) +- Some Browser that can render HTML You can install it by doing: @@ -41,27 +42,27 @@ docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault Now you can try to find the secrets by means of solving the challenge offered at: -- [localhost:8080/challenge/1](http://localhost:8080/challenge/1) -- [localhost:8080/challenge/2](http://localhost:8080/challenge/2) -- [localhost:8080/challenge/3](http://localhost:8080/challenge/3) -- [localhost:8080/challenge/4](http://localhost:8080/challenge/4) -- [localhost:8080/challenge/8](http://localhost:8080/challenge/8) -- [localhost:8080/challenge/12](http://localhost:8080/challenge/12) -- [localhost:8080/challenge/13](http://localhost:8080/challenge/13) -- [localhost:8080/challenge/14](http://localhost:8080/challenge/14) -- [localhost:8080/challenge/15](http://localhost:8080/challenge/15) -- [localhost:8080/challenge/16](http://localhost:8080/challenge/16) -- [localhost:8080/challenge/17](http://localhost:8080/challenge/17) -- [localhost:8080/challenge/18](http://localhost:8080/challenge/18) -- [localhost:8080/challenge/19](http://localhost:8080/challenge/19) -- [localhost:8080/challenge/20](http://localhost:8080/challenge/20) -- [localhost:8080/challenge/21](http://localhost:8080/challenge/21) -- [localhost:8080/challenge/22](http://localhost:8080/challenge/22) -- [localhost:8080/challenge/23](http://localhost:8080/challenge/23) -- [localhost:8080/challenge/24](http://localhost:8080/challenge/24) -- [localhost:8080/challenge/25](http://localhost:8080/challenge/25) -- [localhost:8080/challenge/26](http://localhost:8080/challenge/26) -- [localhost:8080/challenge/27](http://localhost:8080/challenge/27) +- [localhost:8080/challenge/1](http://localhost:8080/challenge/1) +- [localhost:8080/challenge/2](http://localhost:8080/challenge/2) +- [localhost:8080/challenge/3](http://localhost:8080/challenge/3) +- [localhost:8080/challenge/4](http://localhost:8080/challenge/4) +- [localhost:8080/challenge/8](http://localhost:8080/challenge/8) +- [localhost:8080/challenge/12](http://localhost:8080/challenge/12) +- [localhost:8080/challenge/13](http://localhost:8080/challenge/13) +- [localhost:8080/challenge/14](http://localhost:8080/challenge/14) +- [localhost:8080/challenge/15](http://localhost:8080/challenge/15) +- [localhost:8080/challenge/16](http://localhost:8080/challenge/16) +- [localhost:8080/challenge/17](http://localhost:8080/challenge/17) +- [localhost:8080/challenge/18](http://localhost:8080/challenge/18) +- [localhost:8080/challenge/19](http://localhost:8080/challenge/19) +- [localhost:8080/challenge/20](http://localhost:8080/challenge/20) +- [localhost:8080/challenge/21](http://localhost:8080/challenge/21) +- [localhost:8080/challenge/22](http://localhost:8080/challenge/22) +- [localhost:8080/challenge/23](http://localhost:8080/challenge/23) +- [localhost:8080/challenge/24](http://localhost:8080/challenge/24) +- [localhost:8080/challenge/25](http://localhost:8080/challenge/25) +- [localhost:8080/challenge/26](http://localhost:8080/challenge/26) +- [localhost:8080/challenge/27](http://localhost:8080/challenge/27) Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-). @@ -91,8 +92,8 @@ _Can be used for challenges 1-6, 8, 12-27_ Make sure you have the following installed: -- Docker [Install from here](https://docs.docker.com/get-docker/) -- Minikube [Install from here](https://minikube.sigs.k8s.io/docs/start/) +- Docker [Install from here](https://docs.docker.com/get-docker/) +- Minikube [Install from here](https://minikube.sigs.k8s.io/docs/start/) The K8S setup currently is based on using Minikube for local fun: @@ -108,8 +109,8 @@ The K8S setup currently is based on using Minikube for local fun: now you can use the provided IP address and port to further play with the K8s variant (instead of localhost). -- [localhost:8080/challenge/5](http://localhost:8080/challenge/5) -- [localhost:8080/challenge/6](http://localhost:8080/challenge/6) +- [localhost:8080/challenge/5](http://localhost:8080/challenge/5) +- [localhost:8080/challenge/6](http://localhost:8080/challenge/6) ### k8s based @@ -127,14 +128,13 @@ Want to run vanilla on your own k8s? Use the commands below: now you can use the provided IP address and port to further play with the K8s variant (instead of localhost). -- [localhost:8080/challenge/5](http://localhost:8080/challenge/5) -- [localhost:8080/challenge/6](http://localhost:8080/challenge/6) +- [localhost:8080/challenge/5](http://localhost:8080/challenge/5) +- [localhost:8080/challenge/6](http://localhost:8080/challenge/6) ### Okteto based [![Develop on Okteto](https://okteto.com/develop-okteto.svg)](https://cloud.okteto.com/deploy?repository=https://github.com/OWASP/wrongsecrets.git&branch=master&filename=okteto/okteto.yml) - Don't want to go over the hassle of setting up K8S yourself? visit [https://wrongsecrets-commjoen.cloud.okteto.net](https://wrongsecrets-commjoen.cloud.okteto.net/). Please note that we are using the free Developer version here, so it might take a while for it to respond at first (e.g. "development environment not ready" and then a 50x for a minute). Please: do not try to hack/Fuzz the application as this might bring it down and spoil the fun for others. ## Vault exercises with minikube @@ -142,13 +142,13 @@ Don't want to go over the hassle of setting up K8S yourself? visit [https://wron _Can be used for challenges 1-8, 12-27_ Make sure you have the following installed: -- minikube with docker (or comment out line 8 and work at your own k8s setup), -- docker, -- helm [Install from here](https://helm.sh/docs/intro/install/), -- kubectl [Install from here](https://kubernetes.io/docs/tasks/tools/), -- jq [Install from here](https://stedolan.github.io/jq/download/), -- vault [Install from here](https://www.vaultproject.io/downloads), -- grep, Cat, and Sed +- minikube with docker (or comment out line 8 and work at your own k8s setup), +- docker, +- helm [Install from here](https://helm.sh/docs/intro/install/), +- kubectl [Install from here](https://kubernetes.io/docs/tasks/tools/), +- jq [Install from here](https://stedolan.github.io/jq/download/), +- vault [Install from here](https://www.vaultproject.io/downloads), +- grep, Cat, and Sed Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at . This will allow you to run challenges 1-8, 12-22. @@ -193,47 +193,46 @@ When you want to include your own Canarytokens for your cloud-deployment, do the Each challenge has a `Show hints` button and a `What's wrong?` button. These buttons help to simplify the challenges and give explanation to the reader. Though, the explanations can spoil the fun if you want to do this as a hacking exercise. Therefore, you can manipulate them by overriding the following settings in your env: -- `hints_enabled=false` will turn off the `Show hints` button. -- `reason_enabled=false` will turn of the `What's wrong?` explanation button. +- `hints_enabled=false` will turn off the `Show hints` button. +- `reason_enabled=false` will turn of the `What's wrong?` explanation button. ## Special thanks & Contributors Leaders: -- [Ben de Haan @bendehaan](https://github.com/bendehaan) -- [Jeroen Willemsen @commjoen](https://github.com/commjoen) +- [Ben de Haan @bendehaan](https://github.com/bendehaan) +- [Jeroen Willemsen @commjoen](https://github.com/commjoen) Top contributors: -- [Nanne Baars @nbaars](https://github.com/nbaars) -- [Joss Sparkes @remakingeden](https://github.com/remakingeden) -- [Marcin Nowak @MarcinNowak-codes](https://github.com/MarcinNowak-codes) -- [Tibor Hercz @tiborhercz](https://github.com/tiborhercz) -- [Chris Elbring Jr. @neatzsche](https://github.com/neatzsche) -- [Filip Chyla @fchyla](https://github.com/fchyla) -- [Dmitry Litosh @Dlitosh](https://github.com/Dlitosh) -- [Josh Grossman @tghosth](https://github.com/tghosth) -- [Spyros @northdpole](https://github.com/northdpole) -- [Mike Woudenberg @mikewoudenberg](https://github.com/mikewoudenberg) -- [Ruben Kruiver @RubenAtBinx](https://github.com/RubenAtBinx) -- [Nicolas Humblot @nhumblot](https://github.com/nhumblot) -- [Finn @f3rn0s](https://github.com/f3rn0s) -- [Alex Bender @alex-bender](https://github.com/alex-bender) -- [Rick M @kingthorin](https://github.com/kingthorin) +- [Nanne Baars @nbaars](https://github.com/nbaars) +- [Joss Sparkes @remakingeden](https://github.com/remakingeden) +- [Marcin Nowak @MarcinNowak-codes](https://github.com/MarcinNowak-codes) +- [Tibor Hercz @tiborhercz](https://github.com/tiborhercz) +- [Chris Elbring Jr. @neatzsche](https://github.com/neatzsche) +- [Filip Chyla @fchyla](https://github.com/fchyla) +- [Dmitry Litosh @Dlitosh](https://github.com/Dlitosh) +- [Josh Grossman @tghosth](https://github.com/tghosth) +- [Spyros @northdpole](https://github.com/northdpole) +- [Mike Woudenberg @mikewoudenberg](https://github.com/mikewoudenberg) +- [Ruben Kruiver @RubenAtBinx](https://github.com/RubenAtBinx) +- [Nicolas Humblot @nhumblot](https://github.com/nhumblot) +- [Finn @f3rn0s](https://github.com/f3rn0s) +- [Alex Bender @alex-bender](https://github.com/alex-bender) +- [Rick M @kingthorin](https://github.com/kingthorin) Testers: -- [Dave van Stein @davevs](https://github.com/davevs) -- [Marcin Nowak @MarcinNowak-codes](https://github.com/MarcinNowak-codes) -- [Marc Chang Sing Pang @mchangsp](https://github.com/mchangsp) +- [Dave van Stein @davevs](https://github.com/davevs) +- [Marcin Nowak @MarcinNowak-codes](https://github.com/MarcinNowak-codes) +- [Marc Chang Sing Pang @mchangsp](https://github.com/mchangsp) Special mentions for helping out: -- [Madhu Akula @madhuakula](https://github.com/madhuakula) -- [Björn Kimminich @bkimminich](https://github.com/bkimminich) -- [Xiaolu Dai @saragluna](https://github.com/saragluna) -- [Jonathan Giles @jonathanGiles](https://github.com/JonathanGiles) - +- [Madhu Akula @madhuakula](https://github.com/madhuakula) +- [Björn Kimminich @bkimminich](https://github.com/bkimminich) +- [Xiaolu Dai @saragluna](https://github.com/saragluna) +- [Jonathan Giles @jonathanGiles](https://github.com/JonathanGiles) ### Sponsorships @@ -255,14 +254,13 @@ We would like to thank the following parties for helping us out: [1Password](https://1password.com/) for granting us an open source license to 1Password for the secret detection testbed. - ## Help Wanted You can help us by the following methods: -- Star us -- Share this app with others -- Of course, we can always use your help [to get more flavors](https://github.com/OWASP/wrongsecrets/issues/37) of "wrongly" configured secrets in to spread awareness! We would love to get some help with other cloud providers, like Alibaba or Tencent cloud for instance. Do you miss something else than a cloud provider? File an issue or create a PR! See [our guide on contributing for more details](CONTRIBUTING.md). Contributors will be listed in releases, in the "Special thanks & Contributors"-section, and the web-app. +- Star us +- Share this app with others +- Of course, we can always use your help [to get more flavors](https://github.com/OWASP/wrongsecrets/issues/37) of "wrongly" configured secrets in to spread awareness! We would love to get some help with other cloud providers, like Alibaba or Tencent cloud for instance. Do you miss something else than a cloud provider? File an issue or create a PR! See [our guide on contributing for more details](CONTRIBUTING.md). Contributors will be listed in releases, in the "Special thanks & Contributors"-section, and the web-app. ## Use OWASP WrongSecrets as a secret detection benchmark @@ -273,9 +271,10 @@ The branch will contain a Docker container generation script using which you can ## CTF We have 3 ways of playing CTFs: -- The quick "let's play"-approach based on our own Heroku domain [https://wrongsecrets-ctf.herokuapp.com](https://wrongsecrets-ctf.herokuapp.com), which we documente for you here. -- A more extended approach documented in [ctf-instructions.md](/ctf-instructions.md). -- A fully customizable CTF setup where every player gets its own virtual instance of WrongSecrets and a virtual instance of the wrongsecrets-desktop, so they all can play hassle-free. For this you have to use [the WrongSecrets CTF Party setup](https://github.com/OWASP/wrongsecrets-ctf-party). + +- The quick "let's play"-approach based on our own Heroku domain [https://wrongsecrets-ctf.herokuapp.com](https://wrongsecrets-ctf.herokuapp.com), which we documente for you here. +- A more extended approach documented in [ctf-instructions.md](/ctf-instructions.md). +- A fully customizable CTF setup where every player gets its own virtual instance of WrongSecrets and a virtual instance of the wrongsecrets-desktop, so they all can play hassle-free. For this you have to use [the WrongSecrets CTF Party setup](https://github.com/OWASP/wrongsecrets-ctf-party). ### CTFD Support @@ -369,8 +368,8 @@ If, after reading this section, you still have no clue on the application code: To make changes made load faster we added `spring-dev-tools` to the Maven project. To enable this in IntelliJ automatically, make sure: -- Under Compiler -> Automatically build project is enabled, and -- Under Advanced settings -> Allow auto-make to start even if developed application is currently running. +- Under Compiler -> Automatically build project is enabled, and +- Under Advanced settings -> Allow auto-make to start even if developed application is currently running. You can also manually invoke: Build -> Recompile the file you just changed, this will also force reloading of the application. @@ -382,6 +381,7 @@ Follow the steps below on adding a challenge: 2. Add the new challenge in the `org.owasp.wrongsecrets.challenges` folder. Make sure you add an explanation in `src/main/resources/explanations` and refer to it from your new Challenge class. 3. Add a unit and integration test to show that your challenge is working. 4. Don't forget to add `@Order` annotation to your challenge ;-). +5. Review the [CONTRIBUTING guide](CONTRIBUTING.md) for setting up your contributing environment and writing good commit messages. If you want to move existing cloud challenges to another cloud: extend Challenge classes in the `org.owasp.wrongsecrets.challenges.cloud` package and make sure you add the required Terraform in a folder with the separate cloud identified. Make sure that the environment is added to `org.owasp.wrongsecrets.RuntimeEnvironment`. Collaborate with the others at the project to get your container running so you can test at the cloud account. @@ -430,8 +430,8 @@ Note: be careful with trying to deploy the `jeroenwillemsen/wrongsecrets-desktop Want to learn more? Checkout the sources below: -- [Blog: 10 Pointers on Secrets Management](https://dev.to/commjoen/secure-deployment-10-pointers-on-secrets-management-187j) -- [OWASP SAMM on Secret Management](https://owaspsamm.org/model/implementation/secure-deployment/stream-b/) -- [The secret detection topic at Github](https://github.com/topics/secrets-detection) -- [OWASP Secretsmanagement Cheatsheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Secrets_Management_Cheat_Sheet.md) -- [OpenCRE on secrets management](https://www.opencre.org/cre/223-780?register=true&type=tool&tool_type=training&tags=secrets,training&description=With%20this%20app%2C%20we%20have%20packed%20various%20ways%20of%20how%20to%20not%20store%20your%20secrets.%20These%20can%20help%20you%20to%20realize%20whether%20your%20secret%20management%20is%20ok.%20The%20challenge%20is%20to%20find%20all%20the%20different%20secrets%20by%20means%20of%20various%20tools%20and%20techniques.%20Can%20you%20solve%20all%20the%2014%20challenges%3F&trk=flagship-messaging-web&messageThreadUrn=urn:li:messagingThread:2-YmRkNjRkZTMtNjRlYS00OWNiLWI2YmUtMDYwNzY3ZjI1MDcyXzAxMg==&lipi=urn:li:page:d_flagship3_feed;J58Sgd80TdanpKWFMH6z+w==) +- [Blog: 10 Pointers on Secrets Management](https://dev.to/commjoen/secure-deployment-10-pointers-on-secrets-management-187j) +- [OWASP SAMM on Secret Management](https://owaspsamm.org/model/implementation/secure-deployment/stream-b/) +- [The secret detection topic at Github](https://github.com/topics/secrets-detection) +- [OWASP Secretsmanagement Cheatsheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Secrets_Management_Cheat_Sheet.md) +- [OpenCRE on secrets management](https://www.opencre.org/cre/223-780?register=true&type=tool&tool_type=training&tags=secrets,training&description=With%20this%20app%2C%20we%20have%20packed%20various%20ways%20of%20how%20to%20not%20store%20your%20secrets.%20These%20can%20help%20you%20to%20realize%20whether%20your%20secret%20management%20is%20ok.%20The%20challenge%20is%20to%20find%20all%20the%20different%20secrets%20by%20means%20of%20various%20tools%20and%20techniques.%20Can%20you%20solve%20all%20the%2014%20challenges%3F&trk=flagship-messaging-web&messageThreadUrn=urn:li:messagingThread:2-YmRkNjRkZTMtNjRlYS00OWNiLWI2YmUtMDYwNzY3ZjI1MDcyXzAxMg==&lipi=urn:li:page:d_flagship3_feed;J58Sgd80TdanpKWFMH6z+w==) From ec30012f0412692422c8d2b870e0d6f2fcf142a7 Mon Sep 17 00:00:00 2001 From: Ben de Haan <53901866+bendehaan@users.noreply.github.com> Date: Wed, 22 Feb 2023 14:14:44 +0100 Subject: [PATCH 3/3] fix: process review comments --- CONTRIBUTING.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index e3fffa0d4..ef96b0cfc 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -72,12 +72,13 @@ Pull requests should be as small/atomic as possible. Large, wide-sweeping change 5. Choose what to work on, based on any of the outstanding [issues](https://github.com/OWASP/wrongsecrets/issues "WrongSecrets Issues"). 6. Create a branch so that you can cleanly work on the chosen issue: `git checkout -b fix/Issue66` 7. Open your favorite editor and start making modifications. We recommend using the [IntelliJ Idea](https://www.jetbrains.com/idea/). -8. Install [pre-commit](https://pre-commit.com/#install) the dependencies for our pre-commit configuration to make sure your code complies with standards used in the project. This requires terraform, [terraform-docs](https://github.com/terraform-docs/terraform-docs#installation), [tflint](https://github.com/terraform-linters/tflint#installation), and [commitlint](https://commitlint.js.org/#/guides-local-setup). For commitlint, you can use `npm install` in the root folder of this project. +8. Install [pre-commit](https://pre-commit.com/#install) the dependencies for our pre-commit configuration to make sure your code complies with standards used in the project. This requires terraform, [terraform-docs](https://github.com/terraform-docs/terraform-docs#installation), [tflint](https://github.com/terraform-linters/tflint#installation), and [commitlint](https://commitlint.js.org/#/guides-local-setup). For commitlint, you need [NodeJS](https://nodejs.org/en/download/) installed, after which you you can use `npm install` in the root folder of this project. 9. Install the pre-commit hook using `pre-commit install --hook-type commit-msg`. We recommend to run `pre-commit run -a` every so often if you're working on a bigger change. 10. After your modifications are done, push them to your forked repository. This can be done by executing the command `git add MYFILE` for every file you have modified, followed by `git commit -m 'your commit message here'` to commit the modifications and `git push` to push your modifications to GitHub. 11. Create a Pull Request (PR) by going to your fork, and click on the "New Pull Request" button. The target branch should typically be the Master branch. When submitting a PR, be sure to follow the checklist that is provided in the PR template. The checklist itself will be filled out by the reviewer. -12. Your PR will be reviewed and comments may be given. In order to process a comment, simply make modifications to the same branch as before and push them to your repository. GitHub will automatically detect these changes and add them to your existing PR. -13. When starting on a new PR in the future, make sure to always keep your local repo up to date: +12. If something in your git workflow went wrong (and e.g., the precommit hook CI run failed), check out ["O Shit, Git!?!"](https://ohshitgit.com/) to view tips on editing your historical commit message(s), among others. +13. Your PR will be reviewed and comments may be given. In order to process a comment, simply make modifications to the same branch as before and push them to your repository. GitHub will automatically detect these changes and add them to your existing PR. +14. When starting on a new PR in the future, make sure to always keep your local repo up to date: ```bash git fetch upstream