Introduction of gitleaks as a pre-commit git hook to prevent secrets from getting committed once activated #1674
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 11 commits
July 20, 2021 13:46
…ks to scan your staged changes for secrets
added 3 commits
July 20, 2021 16:51
…ludes a check that the file you are running is indeed marked as +x
…ge underneath us, instead of using 'latest'
td-usds
changed the title
td-usds
changed the title
ronaldheft-gov
suggested changes
Jul 26, 2021
added 7 commits
July 26, 2021 12:00
…d, we use 2 regular arrays that we map to one another using indices
added 9 commits
July 28, 2021 12:32
…is a binary in linux, so do not clash, I'm using 'note')
td-usds
commented
Jul 28, 2021
| - uses: actions/checkout@v2 | ||
| with: | ||
| # Fetch the full history | ||
| fetch-depth: 0 |
There was a problem hiding this comment.
See https://github.com/actions/checkout/blob/main/README.md:
# Number of commits to fetch. 0 indicates all history for all branches and tags.
# Default: 1
fetch-depth: ''
added 4 commits
July 29, 2021 09:42
Also making cleanslate callable from anywhere
|
Kudos, SonarCloud Quality Gate passed!
|
MauriceReeves-usds
approved these changes
Jul 29, 2021
ronaldheft-gov
approved these changes
Jul 29, 2021
Comment on lines
+34
to
+55
| regexes = [ | ||
| '(?i)@cdc.local', | ||
| '(?i)@email.com', | ||
| '(?i)@organization.tld', | ||
| '(?i)a@cdc.gov', | ||
| '(?i)adhelpdsk@cdc.gov', | ||
| '(?i)data@cdc.gov', | ||
| '(?i)e.ripley@weylandyutani.com', | ||
| '(?i)jbrush@avantecenters.com', | ||
| '(?i)jj@phd.gov', | ||
| '(?i)joe.jones@az.pima.gov', | ||
| '(?i)local@test.com', | ||
| '(?i)noreply@cdc.gov', | ||
| '(?i)prime@cdc.gov', | ||
| '(?i)qom6@cdc.gov', | ||
| '(?i)qtv1@cdc.gov', | ||
| '(?i)qva8@cdc.gov', | ||
| '(?i)reportstream@cdc.gov', | ||
| '(?i)support@simplereport.gov', | ||
| '(?i)usds@cdc.gov', | ||
| '(?i)usds@omb.eop.gov', | ||
| ] |
There was a problem hiding this comment.
Looked up where these emails are. Interesting some are in docs. Not sure if we should have a client's email in a doc, but that's for a separate PR.
| @@ -0,0 +1,281 @@ | |||
| title = "PRIME ReportStream Gitleaks Configuration" | |||
JosiahSiegel
added a commit
that referenced
this pull request
Jan 11, 2022
…t-trust' into josiahsiegel/#3775-deploy-frontend-efficiency
JosiahSiegel
added a commit
that referenced
this pull request
Jan 12, 2022
JosiahSiegel
added a commit
that referenced
this pull request
Jan 12, 2022
* closes #1647 sign docker image * run dct steps if key vault set * do not sign image if env.USE_DCT != true
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See also #1645
Introduction
This PR introduces gitleaks as a pre-commit hook to git (to be set up by each individual developer) combined with scripts to both set up your hooks and run that hook in a stand-alone fashion.
It also makes gitleaks run on a schedule over (a subset of) the repository's history (see below for more info and explanation).
The purpose of this work is to lower the probability of a developer inadvertently committing sensitive values and having a commit-time check present to prevent this from happening (i.e. preventing the commit from being created). Since our repository is a public repository, GitHub will automatically scan it for committed secrets and if it finds them, it will reach out to the issuer to take appropriate action (and it is up to the issuer to take whichever action it deems fit if it decides to do so, which could be 'revoke this secret' - e.g. based on a check of "is this an actual live secret or something that just matches our pattern?"). However, this check is post-factum and at the point in time when it is already too late (the secret is committed and has been pushed up for everyone to see).
Thus we introduce a mechanism to prevent the commit in the first place using a git pre-commit hook. This introduces one check that is done pre-commit and scans all files that are marked in git as "staged" for secrets (to keep it fast and snappy - see "known limitations" below as well) and will prevent the commit from being created if the tool finds HITs for any of the defined patterns.
The hooks are also installed upon an invocation of
prime-router/cleanslate.shto make sure you get into a known good state. Git hooks are also explained in the getting-started.md document.Most of work is stored in the
.environment/directory at the root of the repository; the rationale being this help you set up your environment. I'm not married to that name...NOTE: this needs a security review and/or consideration because those who install the hook, "trust" that the called code is something they want to run. There is an attack scenario where an ill-wisher changes the called code in the runner (to do something bad) which will now get run by every developer. We need to consider this carefully and keep a close eye on changes to these hook runners!
Some things to look at (all inside
.environment/)./githooks.sh: a helper script to install/enable or remove the git hook configuration. This script will need to be run by each and every committed to the repository in each and every clone. run./githooks.shwithout arguments to learn more about its options. This script is set up so that if we want to take advantage of more git hooks in the future (e.g.pre-push,pre-merge-commit, etc...), we can easily have this script do that for us.pre-commit.hook.sh: this is the file that gets 'installed' as.git/hooks/pre-commit. It is a delegation script that just hands control over to the actual real implementation of the pre-commit hook, which in turn is stored in.environment/pre-commit.runner.sh. The reason for the existence of this file is so that once the hook is installed, we can add more actions to the pre-commit hook by modifying the the runner file without the need to reinstall the hook itself: you just commit "more" into the runner file and that gets picked up by your previously installed hook. This file is just a dumb pass-through. Changes to this file will require a new running ofgithooks.shto be reflected in your clones.pre-commit.runner.sh: this file is called by the pre-commit hook (which in turn, is installed at.git/hooks/pre-commitfrom thepre-commit.hook.shfile) and actually runs the different checks we want to enforce pre-committing. In its current shape, this file runs gitleaks solely on your uncommitted changes. It does this by invoking all files specified in the${CHECKS_TO_RUN}variable, which must be marked as +x (executable). Adding additional checks in the future is as simple as creating a new shell script, and adding it to the${CHECKS_TO_RUN}variable./gitleaks/directory: This directory contains the code that invokes the Gitleaks tool onto your uncommitted changes. There is therun-gitleaks.shscript which invokes gitleaks as a container and bind mounts your repository into it; and there'sgitleaks-config.tomlwhich contains the rules that gitleaks is scanning for. These rules are things that we will have to maintain to make sure we have the necessary coverage of sensitive values. On completion, the tool either reports 0 (success: no leaks) or non-zero (failure: leaks), which then gets rolled back up into the git commit invocation, which in turn only proceeds if the pre-commit hook reports back 0 as return code.Note that the
.environment/pre-commit.runner.shand.environment/gitleaks/run-gitleaks.shscripts can both be invoked manually in the event you should want to do that (e.g. to test that your modifications to the config file are effectual).The gitleaks tool is set up to report out into both of these files at the same time (which are entered into
.gitignore):${REPO_ROOT}/gitleaks.log: its human readable output${REPO_ROOT}/gitleaks.report.json: a json file containing eithernull(the literal "null") or json content that lets you hunt down the violations.Some stuff outside of
.environment/This introduces a new GitHub action that runs on a schedule, defined in
.github/run_gitleaks.yml: this action will run over the entire history of the repository SINCE (and including) the specified commit. In other words it runs on the interval[<since_commit_hash>, HEAD]. The reason we specify a boundary is because we have had some commits that contain 'leaks'. Those have either since been mitigated (and can be found again by disabling the allowlists in thegitleaks-config.tomlfile) and which we don't want to have show up as false positives.In other words, we consider the specified commit as an LKG (Last Known Good) and work forward from there, assuming that there are no violations moving forward.
In the future, if we do have a violation, this will trip and we will have to fix it. which means that after fixing it, we'll have to update the commit hash specified in the
run_gitleaks.ymlfile as well. This is intentional because now we have a clear audit trail of all the different points in time that we designated an LKG.Known limitations
pre-commit.runner.shinvoked from thepre-commithook)--no-verifyto mygit commitinvocation or by uninstalling the hook (but this leaves a trail, obviously)foowith content that trips a rule; you stage this fileOutstanding work
SendGridTwilioOktaIPv(4|6) addressesRun gitleaks on a schedule as a GitHub Action