From e0f23923114eb3e24872f99d31a241b273a0ddd4 Mon Sep 17 00:00:00 2001 From: a-know Date: Sun, 21 Jun 2026 13:24:48 +0900 Subject: [PATCH] chore: add Semgrep and Gitleaks checks --- .githooks/pre-commit | 47 ++++++++++++++++++++++++++++++++++++++++++++ .semgrep.yml | 39 ++++++++++++++++++++++++++++++++++++ README.md | 11 +++++++++++ 3 files changed, 97 insertions(+) create mode 100755 .githooks/pre-commit create mode 100644 .semgrep.yml diff --git a/.githooks/pre-commit b/.githooks/pre-commit new file mode 100755 index 0000000..e804b71 --- /dev/null +++ b/.githooks/pre-commit @@ -0,0 +1,47 @@ +#!/bin/sh +set -eu + +if ! command -v semgrep >/dev/null 2>&1; then + echo "semgrep is not installed or not in PATH; aborting commit." >&2 + exit 1 +fi + +if ! command -v gitleaks >/dev/null 2>&1; then + echo "gitleaks is not installed or not in PATH; aborting commit." >&2 + exit 1 +fi + +if [ -f /opt/homebrew/etc/ca-certificates/cert.pem ]; then + export SSL_CERT_FILE="${SSL_CERT_FILE:-/opt/homebrew/etc/ca-certificates/cert.pem}" +fi + +export SEMGREP_SEND_METRICS="${SEMGREP_SEND_METRICS:-off}" +export SEMGREP_LOG_FILE="${SEMGREP_LOG_FILE:-${TMPDIR:-/tmp}/semgrep-pre-commit.log}" + +files_file="$(mktemp "${TMPDIR:-/tmp}/semgrep-staged.XXXXXX")" +trap 'rm -f "$files_file"' EXIT + +git diff --cached --name-only --diff-filter=ACMR -z > "$files_file" + +if [ ! -s "$files_file" ]; then + exit 0 +fi + +echo "Running Gitleaks on staged changes..." + +gitleaks protect \ + --staged \ + --redact \ + --no-banner \ + --log-level warn + +echo "Running Semgrep on staged files..." + +xargs -0 semgrep \ + --config .semgrep.yml \ + --error \ + --baseline-commit HEAD \ + --disable-version-check \ + --metrics off \ + --quiet \ + < "$files_file" diff --git a/.semgrep.yml b/.semgrep.yml new file mode 100644 index 0000000..a579623 --- /dev/null +++ b/.semgrep.yml @@ -0,0 +1,39 @@ +rules: + - id: dart-hardcoded-api-token + languages: + - dart + severity: ERROR + message: This looks like a hardcoded secret. Move credentials to secure storage or environment configuration. + pattern-regex: (?i)(api[_-]?key|secret|token|password|passwd|pwd)\s*[:=]\s*["'][A-Za-z0-9_./+=-]{16,}["'] + + - id: dart-insecure-md5 + languages: + - dart + severity: ERROR + message: MD5 is not safe for security-sensitive hashing. + pattern-either: + - pattern: md5.convert(...) + - pattern: Hmac(md5, ...) + + - id: dart-insecure-sha1 + languages: + - dart + severity: ERROR + message: SHA-1 is not safe for security-sensitive hashing. + pattern-either: + - pattern: sha1.convert(...) + - pattern: Hmac(sha1, ...) + + - id: dart-accept-all-certificates + languages: + - dart + severity: ERROR + message: Do not accept every TLS certificate. Validate the server certificate instead. + pattern: $CLIENT.badCertificateCallback = (...) => true + + - id: generic-hardcoded-secret + languages: + - generic + severity: ERROR + message: This looks like a hardcoded secret. Move credentials to secure storage or environment configuration. + pattern-regex: (?i)(api[_-]?key|secret|token|password|passwd|pwd)\s*[:=]\s*['"][A-Za-z0-9_./+=-]{16,}['"] diff --git a/README.md b/README.md index 42ce33f..387fbd7 100644 --- a/README.md +++ b/README.md @@ -117,3 +117,14 @@ flutter build apk --release flutter analyze flutter test ``` + +## セキュリティチェック + +コミット前に、ステージ済みの変更を Semgrep と Gitleaks で検査します。 + +```bash +brew install semgrep gitleaks +git config core.hooksPath .githooks +``` + +設定後は、`git commit` の実行時にセキュリティチェックが自動で行われます。