Prevents you from committing passwords and other sensitive information to a git repository.
Your AWS account is a priceless target for the bad guys. With access to their security credentials, an attacker is able to steal sensitive data, use resources at your expense, or sabotage your cloud infrastructure.
Almost 4 years ago, AWS and its customers observed that the bad guys started tracking GitHub’s public repositories for security credentials that would allow them to access AWS accounts . It turns out that even the most cautious DevSecOps Cloud & Software Engineers are not exempt from committing secrets to GitHub public repositories by mistake from time to time. We’re all humans!
Lately when working with one of our consulting clients to increase the security of their environment, we’ve decided to widely implement and enforce the use of a very useful tool that prevents you from adding secrets to your Git repositories: git-secrets.
git-secrets allows you to create hooks for your local repositories. If you ever try to confirm the security credentials, the confirmation will fail.
The following steps will download and install the latest version of git-secrets.
git clone https://github.com/awslabs/git-secrets cd git-secrets make install
You’re not done yet! You MUST install the git hooks for every repo that you wish to use with
git secrets --install.
Here’s a quick example of how to ensure a git repository is scanned for secrets on each commit:
cd /path/to/my/repo git secrets --install git secrets --register-aws
Advanced configurations (RECOMMENDED)
Add a configuration template if you want to add hooks to all repositories you initialize or clone in the future.
git secrets --register-aws --global
Add hooks to all your local repositories.
git secrets --install ~/.git-templates/git-secrets git config --global init.templateDir ~/.git-templates/git-secrets
Add custom providers to scan for security credentials.
git secrets --add-provider -- cat /path/to/secret/file/patterns
Before making public a repository (RECOMMENDED)
With git-secrets is also possible to scan a repository including all revisions:
git secrets --scan-history
Example output when git secrets are detected
git commit -m "DEVOPS-100 updating spinnaker configs" Unable to commit kubernetes/extras/spinnaker/Halyard/hal-1.8.5.config.yml:213: accessKeyId: AFJASOJDASLJXXXXXXXX [ERROR] Matched one or more prohibited patterns Possible mitigations: - Mark false positives as allowed using: git config --add secrets.allowed ... - Mark false positives as allowed by adding regular expressions to .gitallowed at repository's root directory - List your configured patterns: git config --get-all secrets.patterns - List your configured allowed patterns: git config --get-all secrets.allowed - List your configured allowed patterns in .gitallowed at repository's root directory - Use --no-verify if this is a one-time false positive
git-secrets is a simple tool preventing you from committing secrets and credentials into Git repositories. You can also integrate it with your CI server such as Jenkins in order to do frequent scans. We’ve have great results in Binbash so we can fully recommend using it!Exequiel Barrirero | Binbash DevSecOps Cloud Engineer