#gitops (2021-07)
Discuss continuous delivery of infrastructure
Archive: https://archive.sweetops.com/gitops/
2021-07-21
Question: How do you use Git pre-hooks for identifying secrets on organization-level? I’m looking for ideas to detect sensitive commits before it’s committed and pushed to Github. Any ideas how would you approach this on org level?
@Mazin Ahmed Right now I’m just using lefthook and setting up a gitleaks hook to run on precommit and pre-push. It’s not perfect. I’ve not centralized anything. You can use plugins in whatever CI tool you use to do more widescale work, but for now it’s a way I’ve taken to get a small step towards quick code checks and pushing folks away from even dev certs and keys in the repos
Thank you!
you need a solid dev workflow runbook, make sure you automate everything with brew or chocolatey its all about setting up developers machine, for me I would move over by offloading all of these checks into CI instead of developers machines.
@Mohammed Yahya for the sake of discussion, I don’t look at this as shifting from dev to CI checks. I’d rather “shift left” by having the same checks on the devs that CI runs. This improves the feedback cycle dramatically.
Brew and choco is for dev machine setup, and yes the task init i use leverages those for apps needed if required.
Love automation!
I totally agree with you, been there, found lot of developers dose not care about pre-checks or what so ever, so you force everything with CI and PR reviews.
@Mohammed Yahya that’s why I use task init or equivalent in the setup of the project and it self-registers all the hooks and linting tools. Then CI does the exact same thing as manual run.
this means immediate feedback loop before I even open PR having resolved all linting and test failures before it even gets to this point. IMO that quick feedback loop is key to a good trunk based dev workflow and making PR’s less intrusive.
@sheldonh, Have a good base project template using task that you’d be willing to share?
Yeah I have lots of examples. I’m actually not using task anymore as I’m exclusively writing all automation tasks with Mage (Go) as it’s far more flexible with full access to all that Go can do cross platform. For mage (if you want to write Go) https://github.com/sheldonhull/magetools I have examples, templates and use this now in other projects. I like it if you are willing to write Go because you also can remote import sets of tasks. Makes it reusable across lots of repos!
I have lots of task starters I was using here: https://github.com/sheldonhull/ci-configuration-files
Less updated as I realized better to be repo than markdown due to regular updates https://www.sheldonhull.com/docs/task/
Hope this helps!
I’d try to return the favor but I doubt you want 1k line makefiles….
Ha! I’ve actually avoided writing any Makefiles so far in my career Tweaked a couple but since most of my work crosses from build to a lot of other things, and i like cross platform, I’ve tended to use go-task, invokebuild (powershell) or mage.
Since I wasn’t immersed in bash, my natural tendency is once things get beyond simple invoke commands to use a more powerful language and not deal with bash idiosyncrasies
Not saying it’s right. I am a PowerShell ninja but a bash so if I had to pick something I’d gravitate towards powershell because i know all those quirks and object pipeline stuff.