From eac9cb6cdc9814f8f2a61ebcf536188c56e44195 Mon Sep 17 00:00:00 2001
From: Tarek Hamaoui <tarek.hamaoui@digitalservice.bund.de>
Date: Wed, 14 Aug 2024 10:33:45 +0200
Subject: [PATCH 1/4] Add Lefthook config for pre-commit Talisman checks

RISDEV-4541
---
 lefthook.yml | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 lefthook.yml

diff --git a/lefthook.yml b/lefthook.yml
new file mode 100644
index 0000000..27f16a5
--- /dev/null
+++ b/lefthook.yml
@@ -0,0 +1,7 @@
+pre-commit:
+  parallel: true
+  commands:
+    secrets-audit:
+      run: |
+        talisman --githook pre-commit ||
+        (echo "Verify the content and fix it with: talisman --githook pre-commit --interactive"; exit 1)
\ No newline at end of file

From 26b373ef43afecad2d59bb33b71af08e1e66bff8 Mon Sep 17 00:00:00 2001
From: Tarek Hamaoui <tarek.hamaoui@digitalservice.bund.de>
Date: Wed, 14 Aug 2024 10:34:32 +0200
Subject: [PATCH 2/4] Add CONTRIBUTING.md with Lefthook & Talisman instructions

RISDEV-4541
---
 DEVELOPING.md | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 DEVELOPING.md

diff --git a/DEVELOPING.md b/DEVELOPING.md
new file mode 100644
index 0000000..07edc2f
--- /dev/null
+++ b/DEVELOPING.md
@@ -0,0 +1,26 @@
+# Development Notes
+
+**Security note: Do not forget to run the `lefthook` setup below, including the setup of `talisman`. This ensures that secrets are caught before reaching the remote repository.**
+
+## Git Hooks
+
+The repository contains Git hooks which support
+
+- preventing accidentally pushing secrets and sensitive information
+
+### Git Hooks Setup
+
+In order to make use of the repository's Git hooks,
+
+- Install [`Lefthook`](https://github.com/evilmartians/lefthook)
+
+needs to be installed, which, in turn, makes use of the following CLI tools:
+
+- [`talisman`](https://thoughtworks.github.io/talisman/docs) - scans for secrets
+
+Once these tools are available, install the hooks via
+
+```bash
+lefthook install
+```
+And now you’re set up to run the security checks before each commit.

From 22dbb561c3ea46ca5a81c8e12531a6238d17e2a8 Mon Sep 17 00:00:00 2001
From: Tarek Hamaoui <tarek.hamaoui@digitalservice.bund.de>
Date: Wed, 14 Aug 2024 10:44:38 +0200
Subject: [PATCH 3/4] Add pipeline with Talisman secrets check on push

RISDEV-4541
---
 .github/workflows/pipeline.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 .github/workflows/pipeline.yml

diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
new file mode 100644
index 0000000..3212902
--- /dev/null
+++ b/.github/workflows/pipeline.yml
@@ -0,0 +1,19 @@
+name: Pipeline
+
+on:
+  # Run on any branch receiving a push
+  push:
+  # Allow manual trigger of the workflow
+  workflow_dispatch:
+
+jobs:
+  # Talisman Secrets Check
+  talisman-check:
+    runs-on: ubuntu-latest
+    if: ${{ github.ref == 'refs/heads/main' }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Detect secrets in incoming commits with Talisman
+        uses: digitalservicebund/talisman-secrets-scan-action@9a4cb85589e29a62b4546eb566119753a5680aeb
\ No newline at end of file

From 57ac0dcc34ff51ea7bc8e76b81b301b49533912f Mon Sep 17 00:00:00 2001
From: Tarek Hamaoui <tarek.hamaoui@digitalservice.bund.de>
Date: Wed, 14 Aug 2024 10:45:40 +0200
Subject: [PATCH 4/4] Add talisman config

RISDEV-4541
---
 .talismanrc | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 .talismanrc

diff --git a/.talismanrc b/.talismanrc
new file mode 100644
index 0000000..63df5a0
--- /dev/null
+++ b/.talismanrc
@@ -0,0 +1,6 @@
+allowed_patterns:
+  - uses:\ ([A-z0-9\-]+\/)*[A-z0-9\-]+@[a-fA-F0-9]{40}
+threshold: medium
+version: "1.0"
+scopeconfig:
+  - scope: node
\ No newline at end of file