Pre commit Secret Scanning

Setup pre-commit hook to help prevent committing secrets

I've been using Talisman for this and it has worked well.

Install locally in your checked out Harvest repo

https://github.com/thoughtworks/talisman#installation-to-a-single-project

curl https://thoughtworks.github.io/talisman/install.sh > ~/install-talisman.sh
chmod +x ~/install-talisman.sh
cd ~/opt/harvest # adjust to match your Harvest clone directory
~/install-talisman.sh pre-commit

Copy/paste the following to create a talisman config file

echo "
scopeconfig:
  - scope: go

custom_patterns:
- '(?m)^\s+password:'
allowed_patterns:
- 'admin-key.pem'
" | tee .talismanrc

Test that everything works. You should see

.git/hooks/bin/talisman -g pre-commit -i
# if everything works, you should see something like this
Talisman Scan: 0 <......................> ?%  
Talisman done in 47.403602ms

Example

Edit your harvest.yml file and uncomment the password line, like so:

cluster-01:
  datacenter: DC-01
  addr: 10.0.0.1
  auth_style: basic_auth
  username: myuser
  password: mypasw

Now when you try to commit this file, Talisman will warn you and prevent the commit.

git commit -m 'foo'
Talisman Scan: 3 / 3 <---------------------------------------------------------> 100.00%  

Talisman Report:
+-------------+--------------------------------+----------+
|    FILE     |             ERRORS             | SEVERITY |
+-------------+--------------------------------+----------+
| harvest.yml | Potential secret pattern :     | high     |
|             | password:                      |          |
+-------------+--------------------------------+----------+


If you are absolutely sure that you want to ignore the above files from 
talisman detectors, consider pasting the following format in .talismanrc file 
in the project root

fileignoreconfig:
- filename: harvest.yml
  checksum: e296bcede33da479a3a8aa6bf1b8c8993661b064992c76106c6f0a7f5613e119
version: ""

Talisman done in 48.455381ms