Develop bandheart.com

16. Searching for secrets in code (getleaks). Searching for unused composer dependencies

Video version
(Leave your feedback on YouTube)

Searching for unused dependencies

A package for searching for unused dependencies: composer-unused.

Since Laravel can auto-discover packages, some packages may not appear in the code. These can be ignored in the configuration file.

composer-unused.php
<?php

use ComposerUnused\ComposerUnused\Configuration\Configuration;
use ComposerUnused\ComposerUnused\Configuration\NamedFilter;

return static function (Configuration $config): Configuration {
    $config
        // some comment why the package is used
        ->addNamedFilter(NamedFilter::fromString('some/package'));

    return $config;
};

I also recommend adding it to the git pre-push hook and, of course, to the CI/CD script. Here’s one piece of advice: put the commands that run faster first (if not running in parallel). This will give the developer feedback faster and will not run unnecessary commands.

.husky/pre-push
docker exec -t bh-app ./vendor/bin/composer-unused

Searching for secrets

Passwords, private keys, and all secrets should not be in git or the git history.

Any secret scanner will work for you. I use gitleaks.

It's most convenient to run the scanner with Docker. Ideally, use the latest version. This is a case where you don't need to use a fixed version. This is important because the secret database can be updated to find previously undetected secrets.

Gitleaks has 2 commands: protect and detect. detect scans the git history, while protect scans files that are indexed (--staged) or not indexed in git.

If you find a secret in the git history, quickly change the secret in the service whose secret is already in the code. Do a hotfix deploy.

Then add it to the allowlist in the gitleaks configuration.

.gitleaks.toml
[extend]
useDefault = true

[allowlist]
commits = []
  • useDefault = true — mandatory. It enables the default settings.
  • allowlist — can include commits, as well as file names, directories, and regex.

I recommend adding the check to the pre-commit hook. First, update the Docker container. For the pre-commit hook, use the protect command.

.husky/pre-commit
docker pull zricethezav/gitleaks:latest
docker run -v ./:/path zricethezav/gitleaks:latest protect \
    --source="/path" \
    --config=/path/.gitleaks.toml \
    --report-path=/path/gitleaks-report.json \
    --staged

And definitely include it as part of CI/CD, ideally as a separate job, directly from the container. Here, the detect command is mandatory.

.gitlab-ci.yml
secret-detection:
  stage: test
  image:
    name: zricethezav/gitleaks
    entrypoint: [ "" ]
  script:
    - gitleaks detect --config=.gitleaks.toml --report-path=gitleaks-report.json

Help to survive