Secret scanning RISDEV-4541

.github/workflows/pipeline.yml

@@ -0,0 +1,19 @@
+name: Pipeline
+
+on:
+  # Run on any branch receiving a push
+  push:
+  # Allow manual trigger of the workflow
+  workflow_dispatch:
+
+jobs:
+  # Talisman Secrets Check
+  talisman-check:
+    runs-on: ubuntu-latest
+    if: ${{ github.ref == 'refs/heads/main' }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Detect secrets in incoming commits with Talisman
+        uses: digitalservicebund/talisman-secrets-scan-action@9a4cb85589e29a62b4546eb566119753a5680aeb

.talismanrc

@@ -0,0 +1,6 @@
+allowed_patterns:
+  - uses:\ ([A-z0-9\-]+\/)*[A-z0-9\-]+@[a-fA-F0-9]{40}
+threshold: medium
+version: "1.0"
+scopeconfig:
+  - scope: node

DEVELOPING.md

@@ -0,0 +1,26 @@
+# Development Notes
+
+**Security note: Do not forget to run the `lefthook` setup below, including the setup of `talisman`. This ensures that secrets are caught before reaching the remote repository.**
+
+## Git Hooks
+
+The repository contains Git hooks which support
+
+- preventing accidentally pushing secrets and sensitive information
+
+### Git Hooks Setup
+
+In order to make use of the repository's Git hooks,
+
+- Install [`Lefthook`](https://github.com/evilmartians/lefthook)
+
+needs to be installed, which, in turn, makes use of the following CLI tools:
+
+- [`talisman`](https://thoughtworks.github.io/talisman/docs) - scans for secrets
+
+Once these tools are available, install the hooks via
+
+```bash
+lefthook install
+```
+And now you’re set up to run the security checks before each commit.

lefthook.yml

@@ -0,0 +1,7 @@
+pre-commit:
+  parallel: true
+  commands:
+    secrets-audit:
+      run: |
+        talisman --githook pre-commit ||
+        (echo "Verify the content and fix it with: talisman --githook pre-commit --interactive"; exit 1)