{"id":39075626,"url":"https://github.com/cloud-gov/caulking","last_synced_at":"2026-01-17T18:26:27.733Z","repository":{"id":37066798,"uuid":"247073664","full_name":"cloud-gov/caulking","owner":"cloud-gov","description":"Prevent leaks with gitleaks, and use tests to validate","archived":false,"fork":false,"pushed_at":"2025-11-06T01:58:40.000Z","size":422,"stargazers_count":32,"open_issues_count":10,"forks_count":16,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-11-06T03:26:59.366Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloud-gov.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-03-13T13:08:28.000Z","updated_at":"2025-05-28T15:14:42.000Z","dependencies_parsed_at":"2024-04-10T16:42:32.647Z","dependency_job_id":"490f17e7-29b6-4443-b145-2044498962b1","html_url":"https://github.com/cloud-gov/caulking","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/cloud-gov/caulking","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2Fcaulking","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2Fcaulking/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2Fcaulking/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2Fcaulking/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloud-gov","download_url":"https://codeload.github.com/cloud-gov/caulking/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2Fcaulking/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28515471,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T17:57:59.192Z","status":"ssl_error","status_checked_at":"2026-01-17T17:57:52.527Z","response_time":85,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-17T18:26:27.614Z","updated_at":"2026-01-17T18:26:27.688Z","avatar_url":"https://github.com/cloud-gov.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Caulking stops leaks\n\n![caulking gun with grey caulk oozing out](https://upload.wikimedia.org/wikipedia/commons/thumb/3/37/Caulking.jpg/757px-Caulking.jpg)\n\nGoals:\n\n* Simplify installation of git leak prevention and rules with `make install`\n* Simplify auditing local systems for leak prevention with `make audit`\n* Support adding and testing rules\n\n## Installation notes\n\nClone the repository with the `--recurse-submodules` flag. Or, if you have already cloned the repository without the flag, run `git submodule update --init --recursive` from the root of the repository to initialize all submodules.\n\n`make install` will install `gitleaks`. The install will:\n\n* install `gitleaks`\n  * **Note:** Only `gitleaks` version 8 is currently supported.\n* add a global `pre-commit` hook to `$HOME/.git-support/hooks/pre-commit`\n* add the configuration with patterns to `$HOME/.git-support/gitleaks.toml`\n\nYou now have the gitleaks pre-commit hook enabled globally.\n\n## Bug warning\n\nIf you get the error `reference not found` on a new repository, be sure you've run `brew upgrade gitleaks` to install version 4.1.1 or later.\n\n## Auditing notes - how to test if this is working\n\n\u003e **Please note:** You will need to use a `gsa.gov` email address for your commits in order for the audit tests to pass. See [the GitHub documentation on how to set your commit email](https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-user-account/managing-email-preferences/setting-your-commit-email-address#setting-your-commit-email-address-in-git).\n\nThe `make audit` target installs prerequisites then runs the test harness `bats caulked.bats` and outputs whether the tests pass or fail. All tests must pass to be considered a successful install/audit.\n\nThe tests check for a working `gitleaks` setup, and that you haven't inadvertently disabled `gitleaks` in your repositories. It checks:\n\n* that common patterns of secrets cause a commit to fail\n* that `hooks.gitleaks` is set to true underneath $HOME to $MAXDEPTH setting\n* that any custom `/.git/hooks/pre-commit` scripts also still call `gitleaks`\n\nThese assume a compliant engineer who wants to abide by use of `gitleaks`,and  doesn't deliberately subvert that intent.\n\n## What now?\n\nYou have installed gitleaks and our patterns, and you've verified that all of your repositories are not inadvertently sidestepping the caulking. Continue on with your day. We may periodically ask you to run `make patterns` and `make audit` to update your rules and test that you are still protected from committing known secret patterns.\n\nIf you get a `git commit` error message like this:\n\n```json\n{\n    \"line\": \"Juana M. is at juana@example.com\",\n    \"offender\": \"javier@example.com\",\n    \"commit\": \"0000000000000000000000000000000000000000\",\n    \"repo\": \"gittest.ffqOwg\",\n    \"rule\": \"Email\",\n    \"commitMessage\": \"***STAGED CHANGES***\",\n    \"author\": \"\",\n    \"email\": \"\",\n    \"file\": \"secretsfile.md\",\n    \"date\": \"1970-01-01T00:00:00Z\",\n    \"tags\": \"email\"\n}\n```\n\nThen, remove or fix the offending line.\n\n### But what if the \"offending line\" isn't a secret?\n\nYou have a couple of choices:\n\n* Submit a PR to improve our patterns (guidance forthcoming)\n* Submit an issue to this repo, and then ignore `gitleaks` for the commit with:\n\n    ```shell\n    SKIP=gitleaks git commit -m \"message\"\n    ```\n\n    Then type `y` when you see this prompt:\n\n    ```shell\n    Do you want to SKIP gitleaks? [y/n] y\n    ```\n\n## Development tips\n\nTo work on patterns, add test cases to `development.bats`, update patterns in `local.toml` then\nrun `bats development.bats`.  Here are some shortcuts:\n\n* `make hook`: update `~/.git-support/hooks/pre-commit` from local `pre-commit.sh`\n* `make patterns`: update the `gitleaks` configuration in `~/.git-support/gitleaks.toml` from local `local.toml`\n* `make audit`: see that everything work together.\n\n## Running bats tests\n\nTo run a file of bats tests:\n\n```shell\n./test/bats/bin/bats -p caulked.bats\n```\n\nTo run a specific test or set of tests, pass in a `--filter` argument with a regular expression matching the test(s) you want to run:\n\n```shell\n./test/bats/bin/bats -p caulked.bats --filter \"leak prevention.*\"\n```\n\n## Rule sets\n\nThe following rule sets helped inform our gitleaks.toml:\n\n* \u003chttps://github.com/GSA/odp-code-repository-commit-rules/blob/master/gitleaks/rules.toml\u003e - used for guidance\n* \u003chttps://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml\u003e - default gitleaks configuration that our configuration extends from\n\n## What about other hooks? Will they still run?\n\nYes. Caulking runs your other pre-commit hooks automatically.\n\n### pre-commit.com\n\n**Note:** if you're using [pre-commit](https://pre-commit.com/) to manage pre-commit hooks, you'll likely get an error like this when running `pre-commit install`:\n\n```shell\n[ERROR] Cowardly refusing to install hooks with `core.hooksPath` set.\nhint: `git config --unset-all core.hooksPath`\n```\n\nYou can work around this by running:\n\n```shell\nhookspath=$(git config core.hookspath)\ngit config --global --unset-all core.hookspath\npre-commit install\ngit config --global core.hookspath \"${hookspath}\"\n```\n\n[See the GitHub issue for the related discussion.](https://github.com/pre-commit/pre-commit/issues/1198).\n\n## Incompatible gitleaks changes\n\nSometimes gitleaks updates will have breaking changes, and you'll need to compare gitleaks\nbetween the current version and an older version. To install an older gitleaks version with `brew`:\n\n* Browse the [brew history for the gitleaks formula](https://github.com/Homebrew/homebrew-core/commits/master/Formula/gitleaks.rb)\n* Find the commit that matches the older version you want to roll back to\n* Then run:\n\n    ```shell\n    wget https://raw.githubusercontent.com/Homebrew/homebrew-core/\u003ccommit\u003e/Formula/gitleaks.rb\n    brew unlink gitleaks\n    brew install ./gitleaks.rb\n    ```\n\n* You'll now have the older version.\n\n## Public domain\n\nThis project is in the worldwide public domain. As stated in CONTRIBUTING:\n\n\u003e This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.\n\u003e\n\u003e All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloud-gov%2Fcaulking","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloud-gov%2Fcaulking","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloud-gov%2Fcaulking/lists"}