Abhinav Sejpal
Fell in love with the power of software at age 17, and I am still in love. I'm the one your mom warned you about, So be careful and Follow me.
How to prevent Dev from committing secrets and credentials into git repositories
Tool Demos: Talisman & Trufflehog
Lighting Talk : 10 mins Talk (25/03/2020)
Abhinav Sejpal
DevSecOps Consultant at Accenture
OWASP Suffolk - Leader
---------------------------------
Disclaimer :
- The opinion expressed here are my own, there is no relation with my employer or clients.
- Tools/Project mentioned here is just an example – No Recommendation.
- Every environment is different: Test and validate before implementing any ideas
DevSecOps
Stop Code Leaking the Secrets
Demo : Trufflehog
Git hook
No Debate: Git is one of the most brilliant pieces of software ever written!
99% DevOps Squads are using Git methodology
Talisman supports MAC OSX, Linux and Windows
Talisman can be installed and used in one of the following ways:
- As a git hook as a global git hook template and a CLI utility (for git repo scanning)
- As a git hook into a single git repository
Talisman can be set up as either a pre-commit or pre-push hook on the git repositories.
Disclaimer: Secrets creeping in via a forced push in a git repository cannot be detected by Talisman. A forced push is believed to be notorious in its own ways, and I suggest git repository admins to apply appropriate measures to authorize such activities.
- Encoded values - scans for encoded secrets in Base64, hex etc.
- File content - scans for suspicious content in a file that could be potential secrets or passwords
- File size - scans for large files that may potentially contain keys or other secrets
- Entropy - scans for content with high entropy that is likely to contain passwords
- Credit card numbers - scans for content that could be potential credit card numbers
- File names - scans for file names and extensions that could indicate them potentially containing secrets, such as keys, credentials etc
Talisman Test Scenarios :
Ignoring Files
If you're really sure you want to push that file, you can configure it into the .talismanrc file in the project root. The contents required for ignoring your failed files will be printed by Talisman on the console immediately after the Talisman Error Report:
Entering this in the .talismanrc file will ensure that Talisman will ignore the danger.pem file as long as the checksum matches the value mentioned in the checksum field.
or
skip or bypass a pre-commit hook in git
commit --no-verify
Demo
Git Secrets tools
- Talisman – https://github.com/thoughtworks/talisman
- Crass – https://github.com/floyd-fuh/crass
- Git Hooks – https://githooks.com/
- Git Secrets – https://git-secret.io/
- Pre Commit – https://pre-commit.com/
- Detect Secrets – https://github.com/Yelp/detect-secrets
- Git Hound – https://github.com/ezekg/git-hound
- Truffle Hog – https://github.com/dxa4481/truffleHog
Thank you!
Prevent Dev from Committing Secrets into git repositories
By Abhinav Sejpal
Prevent Dev from Committing Secrets into git repositories
Sensitive information such as the AWS keys, access tokens, SSH keys etc. are often erroneously leaked via the public source code repositories due to accidental git commits. This can be avoided by using pre-commit hooks like “Talisman” which checks for sensitive information in the files before commits or push activity.
