SecOps

Prevent AWS Secrets to git repository

Prevents you from committing passwords and other sensitive information to a git repository.

Your AWS account is a priceless target for the bad guys. With access to their security credentials, an attacker is able to steal sensitive data, use resources at your expense, or sabotage your cloud infrastructure.

Almost 4 years ago, AWS and its customers observed that the bad guys started tracking GitHub’s public repositories for security credentials that would allow them to access AWS accounts . It turns out that even the most cautious DevSecOps Cloud & Software Engineers are not exempt from committing secrets to GitHub public repositories by mistake from time to time. We’re all humans!

Lately when working with one of our consulting clients to increase the security of their environment, we’ve decided to widely implement and enforce the use of a very useful tool that prevents you from adding secrets to your Git repositories: git-secrets.

git-secrets allows you to create hooks for your local repositories. If you ever try to confirm the security credentials, the confirmation will fail.

Installation

The following steps will download and install the latest version of git-secrets.

git clone https://github.com/awslabs/git-secrets
cd git-secrets
make install

Configurations

You’re not done yet! You MUST install the git hooks for every repo that you wish to use with git secrets --install.

Here’s a quick example of how to ensure a git repository is scanned for secrets on each commit:

cd /path/to/my/repo
git secrets --install
git secrets --register-aws

Advanced configurations (RECOMMENDED)

Add a configuration template if you want to add hooks to all repositories you initialize or clone in the future.

git secrets --register-aws --global

Add hooks to all your local repositories.

git secrets --install ~/.git-templates/git-secrets
git config --global init.templateDir ~/.git-templates/git-secrets

Add custom providers to scan for security credentials.

git secrets --add-provider -- cat /path/to/secret/file/patterns

Before making public a repository (RECOMMENDED)

With git-secrets is also possible to scan a repository including all revisions:

git secrets --scan-history

Example output when git secrets are detected

git commit -m "DEVOPS-100 updating spinnaker configs" 

Unable to commit
kubernetes/extras/spinnaker/Halyard/hal-1.8.5.config.yml:213:   accessKeyId: AFJASOJDASLJXXXXXXXX
[ERROR] Matched one or more prohibited patterns
Possible mitigations:
- Mark false positives as allowed using: git config --add secrets.allowed ...
- Mark false positives as allowed by adding regular expressions to .gitallowed at repository's root directory
- List your configured patterns: git config --get-all secrets.patterns
- List your configured allowed patterns: git config --get-all secrets.allowed
- List your configured allowed patterns in .gitallowed at repository's root directory
- Use --no-verify if this is a one-time false positive

git-secrets is a simple tool preventing you from committing secrets and credentials into Git repositories. You can also integrate it with your CI server such as Jenkins in order to do frequent scans. We’ve have great results in Binbash so we can fully recommend using it!

Exequiel Barrirero | Binbash DevSecOps Cloud Engineer