Add pre-commit configuration and custom hook (#149)

jcstorms1 · jtappa · web-flow · commit 986ec7af59d7 · 2021-07-01T10:15:53.000-04:00
* Update expected breaking change date (#114) * add pre-commit config and custom hook * Update README.md * Update README.md * Update README.md Co-authored-by: Jorie Helwig <jorie.helwig@datadoghq.com>
diff --git a/.git-hooks/detect-api-keys.py b/.git-hooks/detect-api-keys.py
@@ -0,0 +1,73 @@
+#!/usr/bin/env python
+from __future__ import print_function
+
+import argparse
+import re
+import sys
+
+
+def detect_aws_access_key(line):
+    match = re.search(r"(?<![A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9])", line)
+    return match, "AWS access key"
+
+
+def detect_aws_secret_key(line):
+    match = re.search(r"(?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])", line)
+    return match, "AWS secret key"
+
+
+def detect_dd_api_key(line):
+    match = re.search(r"(?<![a-fA-F0-9])[a-fA-F0-9]{32}(?![a-fA-F0-9])", line)
+    return match, "Datadog API key"
+
+
+def detect_dd_app_key(line):
+    match = re.search(r"(?<![a-fA-F0-9])[a-fA-F0-9]{40}(?![a-fA-F0-9])", line)
+    return match, "Datadog app key"
+
+
+def key_found_message(args):
+    return (
+        "\033[91m"
+        "Potential {} found in {} at line {} and column {}. "
+        "Please remove the key before committing these changes."
+        "\033[0m".format(*args)
+    )
+
+
+def main(argv=None):
+    parser = argparse.ArgumentParser()
+    parser.add_argument("filenames", nargs="*", help="Filenames to check.")
+    args = parser.parse_args(argv)
+
+    # add or remove functions here
+    functions_to_run = [
+        detect_aws_access_key,
+        detect_aws_secret_key,
+        detect_dd_api_key,
+        detect_dd_app_key,
+    ]
+
+    files_with_key = []
+
+    for filename in args.filenames:
+        with open(filename, "r") as f:
+            content = f.readlines()
+            f.close()
+
+        for i, line in enumerate(content):
+            for func in functions_to_run:
+                match, name = func(line)
+                if match != None:
+                    files_with_key.append((name, filename, i + 1, match.end()))
+
+        if files_with_key:
+            for file in files_with_key:
+                print(key_found_message(file))
+            return 1
+        else:
+            return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,18 @@
+repos:
+  - repo: git@github.com:pre-commit/pre-commit-hooks
+    rev: v2.1.0
+    hooks:
+      - id: check-merge-conflict
+        files: \.py$
+  - repo: git@github.com:psf/black
+    rev: 21.6b0
+    hooks:
+      - id: black
+        files: \.py$
+  - repo: local
+    hooks:
+      - id: detect-api-keys
+        name: detect-api-keys
+        description: Checks for AWS or Datadog API keys
+        entry: ".git-hooks/detect-api-keys.py"
+        language: python
