Hack-a-thon: Go Plugin Crazy 🎉

[JamieSlome]

Setting the scene ⛰️

GitProxy is a tool that allows large organisations and companies (like Citigroup, Royal Bank of Canada and NatWest) to scan code and commit metadata for security and compliance issues before it is pushed from a developer machine to a codebase or repository. Think of it as automatically scanning your code and commits before your code is accepted into the upstream repository. This is commonly referred to as push protections.

Today, GitProxy supports a few out-of-the-box checks including secret scanning using string literals and regular expressions on commit metadata (e.g. commit message & commit e-mails) as well as on the change (or diff) created by the developer pushing their code via GitProxy.

Hack-a-thon ⚒️

For this hack-a-thon, we want you to create discrete and neatly contained GitProxy Plugins that take a git diff as input and outputs informational or advisory information about detected issues in the submitted code. You can be as creative and wild with your imagination as you like 🤯 Ask yourself, what are the types of checks & scans you would want to run over your code before sharing it on the Web for all to see? 👀

Examples may include a plugin to:

1. Detect the usage of data (i.e. usage of JSONs, LOG files, CSV files, XLSX etc.)
2. Detect the usage of non-standard cryptography or encryption techniques
3. Detect the usage of media assets (incl. images, videos, graphics, design files)
4. Detect the usage of AI/ML usage (incl. weights, models etc.)
5. Check EXIF data in JPEG images
6. Using an LLM to identify code leakage or anomalies
7. Detect the exfiltration of data or information in picture or video formats
8. Detect the usage of slurs, swear words and profanities
9. Detect the usage of common secrets and sensitive patterns (i.e. using GitLeaks)
10. Detect the usage of malicious or vulnerable code (using open source SCA tools)
11. Detect the usage of non-compliant dependencies as defined by license or other metadata

For some of these plugins and use cases, you'll want to improve our configuration definition (proxy.config.json) to support a users definition of custom requirements, i.e. defining custom file types or swear words that aren't supported by your implementation.

We encourage you to create an issue with any new plugin ideas you have 💡 That way, we can anticipate pull requests and support you during the course of the hack-a-thon if you have any questions.

Technical Stuff 🤖

In any programming language, imagine you are starting with a String which contains the contents of a git diff command - a difference between two commits. The git diff String will look something like this:

diff --git a/package-lock.json b/package-lock.json
index b704b979..72058f04 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -74,6 +74,7 @@
         "mocha": "^10.2.0",
         "nyc": "^17.0.0",
         "prettier": "^3.0.0",
+        "sinon": "^19.0.2",
         "vite": "^4.4.2"
       },
       "optionalDependencies": {
@@ -2863,6 +2864,55 @@
         "util": "^0.12.4"
       }
     },

This shows a part of the entire diff associated with a real commit on the GitProxy repository. You can view the human readable version of the commit here and the git diff here.

Your plugin, at the most basic level, should look something like this pseudo-code:

const diff = 'your diff here' // feel free to use a diff from any repository

const results = runMyPlugin(diff).results; // provide the diff as an input to your plugin

return results;

Bear in mind, to actually run your plugin via GitProxy, you'll need to follow the documentation.

Quick Tips 🤝

1. Don't be afraid to open an issue or a pull request; you are all welcome 👍
2. Feel free to ping @JamieSlome or @coopernetes for any support during the period of the hack-a-thon
3. If you find something is broken with GitProxy or inaccurate in our docs, fix it; we appreciate any contribution ❤️
4. To work on this use case, you can either fork directly, or create a new repository with just your plugin 👍

Let the hacking commence...

[rahulshah80]

Test comment for Hackathon

[Psingle20]

@JamieSlome I just had a Question while creating feat (eg : Detecting for sensitive Pattern ) should we consider analysing the entire files which have been changed or for this particular case it is better to just parse the diff content and then check for sensitive pattern ?

[Psingle20]

@JamieSlome @coopernetes we did not receive any mail regarding code submission. I have opened a PR #798 which contains all the code before the submission deadline. If there are any further step which we need to take then please let us know