feat: citi hackathon code submission

[Psingle20]

This PR can be considered as a submission for the FinOS CitiHackathon.
Team members:

• Prachit Ingle Psingle20
• Shabbir Kaderi shabbirflow
• Chaitanya Deshmukh ChaitanyaD48

---

This PR solves issue #745 #788 #796 #797 #765

GITPROXY PLUGINS

We have worked on the following features :

• Sensitive Data Detection ( in files like .json, .xlsx, .csv )
• Check EXIF Metadata from Images ( .jpg, .jpeg, .tiff )
• Detection of AI/ML usage (incl. weights, models etc.)
• Vulnerability Detection using GitLeaks
• Detection of Non-Standard Cryptography Usage

---

Some Modifications for the Gitleaks and Non-Standard Cryptography Usage are required.

Sensitive Data Detection ( in files like .json, .xlsx, .csv )

Features:
This solves issue #745

• https://github.com/Psingle20/git-proxy/blob/CitiHackathon/src/proxy/processors/push-action/checkSensitiveData.js - This file contains the detection logic
• For this to work, it is required to configure proxy.config.json with the file types for which sensitive data detection is required, for ex:

    "diff": {
      "block": {
        "literals": [],
        "patterns": [],
        "providers": {},
        "proxyFileTypes": [".csv", ".xlsx", ".log", ".json"]
      }
    },

• https://github.com/Psingle20/git-proxy/blob/CitiHackathon/test/CheckSensitive.test.js - Relevant tests are mentioned in this file

---

Check EXIF Metadata from Images ( .jpg, .jpeg, .tiff )

Features:
This solves issue #796

• https://github.com/Psingle20/git-proxy/blob/CitiHackathon/src/proxy/processors/push-action/checkExifJpeg.js - This file contains the logic for EXIF Metadata retrieval and parsing.
• The user can configure proxy.config.json with the file types for which EXIF Metadata needs to be detected.

    "diff": {
      "block": {
        "literals": [],
        "patterns": [],
        "providers": {},
        "proxyFileTypes": [".jpg", ".jpeg", ".tiff"]
      }
    },

• This will block push event if sensitive metadata such as Geolocation information or Camera Make or Model ( or other sensitive information ) is detected.
• Relevant tests are described in https://github.com/Psingle20/git-proxy/blob/CitiHackathon/test/CheckExif.test.js

---

Detection of AI/ML usage (incl. weights, models etc.)

Features:
This solves issue #788

• https://github.com/Psingle20/git-proxy/blob/CitiHackathon/src/proxy/processors/push-action/checkForAiMlUsage.js - This file contains the logic for AI/ML usage detection based on file extensions of model weights, usage of popular ML libraries, common AI functions usage, configuration keys, etc.
• The user can configure proxy.config.json with the parameters for which detection needs to be carried out.

    "aiMlUsage": {
          "enabled": true,
          "blockPatterns": ["modelWeights", "largeDatasets", "aiLibraries", "configKeys", "aiFunctions"]
    }

• https://github.com/Psingle20/git-proxy/blob/CitiHackathon/test/checkAiMlUsage.test.js - Relevant tests are mentioned in this file

---

Vulnerability Detection using GitLeaks

Features:
This solves issue #797

• We have used GitLeaks to detect vulnerabilities in the codebase.
• Checks have been added in gitleaks.toml file
• The main logic of the implementation lies in https://github.com/Psingle20/git-proxy/blob/CitiHackathon/src/proxy/processors/push-action/checkForSecrets file
• The user can configure proxy.config.json to enable / disable the plugin.

    "checkForSecrets": {
      "enabled": false
    },

• A detailed report will be generated gitleaks_reports.json
• Some modifications / minor changes might be required for this to be merged.

---

Detection of Non-Standard Cryptography Usage

This solves issue #765

Features:

• The logic for non - Standard cryptography detection lies in the file https://github.com/Psingle20/git-proxy/blob/CitiHackathon/src/proxy/processors/push-action/checkCryptoImplementation.js
• Relevant tests for core functionality have been described in https://github.com/Psingle20/git-proxy/blob/CitiHackathon/test/checkCryptoImplementation.test.js
• Some modifications / minor changes might be required for this to be merged.

[netlify]

✅ Deploy Preview for endearing-brigadeiros-63f9d0 canceled.

Name	Link
🔨 Latest commit	11d8797
🔍 Latest deploy log	https://app.netlify.com/sites/endearing-brigadeiros-63f9d0/deploys/674212a63f2e710008cec325

[Psingle20]

@JamieSlome this PR can be considered as the official submission for Hackathon. It contains all the feature me and my team members have worked on . Please review it and let us know if any changes are required.

[rgmz]

* We have used GitLeaks to detect vulnerabilities in the codebase.

Gitleaks detects secrets + and any other configured pattern. It doesn't detect vulnerabilities per se.

Features: This solves issue #765

This looks like a typo. The linked issue is "Detect the usage of Non-Standard Cryptography Implementation".

[rgmz]

Are these rules created for this PR or copied from somewhere? Gitleaks has a number of features, such as keywords, entropy, and allowlist(s) that improve performance and effectiveness.

[Psingle20]

these rules are specifically for this PR
we were trying to use it for scanning directories for secrets like AWS access Key which user may write in the code files.
That feature is still in progress as we have written in the comment above as well. Some changes are required.

[rgmz]

these rules are specifically for this PR

What's the rationale for doing so versus using Gitleaks' default config?

[rgmz]

This actually shouldn't be flagged because it's obviously false positive. The default Gitleaks aws-access-token rule explicitly ignores results that end in EXAMPLE.

https://github.com/gitleaks/gitleaks/blob/7f77987d91c590e021d9fa2b3c0e57c4a4376147/config/gitleaks.toml#L168-L171