How to prevent Dev from committing secrets and credentials into git repositories

Tool Demos: Talisman & Trufflehog

Lighting Talk : 10 mins Talk (25/03/2020)

Abhinav Sejpal

DevSecOps Consultant at Accenture

OWASP Suffolk - Leader

---------------------------------

https://twitter.com/abhinavsejpal

https://www.bugwrangler.in/

Disclaimer :

The opinion expressed here are my own, there is no relation with my employer or clients.
Tools/Project mentioned here is just an example – No Recommendation.
Every environment is different: Test and validate before implementing any ideas

DevSecOps

Stop Code Leaking the Secrets

Demo : Trufflehog

https://github.com/Netflix/eureka

---- Vulnerable Commit ----

https://github.com/Netflix/eureka/blob/eac002d49d507a305b4b6cedeb371777773f0cfe/eureka-server/main/conf/discovery-test.properties

https://git-scm.com/docs/githooks

Git hook

No Debate: Git is one of the most brilliant pieces of software ever written!

99% DevOps Squads are using Git methodology

Talisman supports MAC OSX, Linux and Windows

Talisman can be installed and used in one of the following ways:

As a git hook as a global git hook template and a CLI utility (for git repo scanning)
As a git hook into a single git repository

Talisman can be set up as either a pre-commit or pre-push hook on the git repositories.

Disclaimer: Secrets creeping in via a forced push in a git repository cannot be detected by Talisman. A forced push is believed to be notorious in its own ways, and I suggest git repository admins to apply appropriate measures to authorize such activities.

https://github.com/thoughtworks/talisman

Encoded values - scans for encoded secrets in Base64, hex etc.
File content - scans for suspicious content in a file that could be potential secrets or passwords
File size - scans for large files that may potentially contain keys or other secrets
Entropy - scans for content with high entropy that is likely to contain passwords
Credit card numbers - scans for content that could be potential credit card numbers
File names - scans for file names and extensions that could indicate them potentially containing secrets, such as keys, credentials etc

Talisman Test Scenarios :

Ignoring Files

If you're really sure you want to push that file, you can configure it into the .talismanrc file in the project root. The contents required for ignoring your failed files will be printed by Talisman on the console immediately after the Talisman Error Report:

Entering this in the .talismanrc file will ensure that Talisman will ignore the danger.pem file as long as the checksum matches the value mentioned in the checksum field.

skip or bypass a pre-commit hook in git

commit --no-verify

Demo

Git Secrets tools

Talisman – https://github.com/thoughtworks/talisman
Crass – https://github.com/floyd-fuh/crass
Git Hooks – https://githooks.com/
Git Secrets – https://git-secret.io/
Pre Commit – https://pre-commit.com/
Detect Secrets – https://github.com/Yelp/detect-secrets
Git Hound – https://github.com/ezekg/git-hound
Truffle Hog – https://github.com/dxa4481/truffleHog