Secret keys in your code ? Worry no more
Sandeep Gokhale
< 1
November 2nd, 2024
Prevent accidental exposure of confidential information
Security Breach
Did you know, 82% of breaches involve a human element like social attacks, errors, or misuse, with many originating from developers by accidentally exposing sensitive information like passwords, keys or secrets.
The average cost of a data breach in 2023 is $4.45 million, a 15% increase over the past 3 years. – IBM
Many of the biggest breaches stem from seemingly small mistakes, like leaving an API key or password exposed. With cyberattacks happening at an alarming frequency, the security of your codebase is no longer optional—it’s essential.
Imagine this
A developer by mistake, commits an API key or password to your public/private repository. This is enough to open the floodgates to security breaches, leaving your entire project vulnerable. Once that sensitive data is exposed, the consequences can be swift and severe:
- Immediate Exploitation
- Service Disruptions
- Unmet Compliance
- Financial Losses
- Reputational Damage and what not.
Be Safe, Not Sorry
It’s far easier to avoid exposing secrets in the first place than to deal with the “after effects“ of a breach. With 10X developers, fail fast methodology, the pace at which “modern” development happens (Not to mention copy/pasted AI code), it’s easy to commit a secret to the repo unless there is a non human way to prevent it. This is where tools shine.
Git Secrets – Open Source Tool
Git Secrets, a simple yet powerful way to make sure you’re never caught off-guard by an exposed credential. It’s a “preventive” way that ensures the security of your code, saving you from costly mistakes and the potentially devastating consequences of a breach. Knowing how Git Hooks work will make everything easier.
Pre requisites
- A Git repository
- Knowledge to run scripts on Gitbash or Powershell
Easy to Install and Use
Installing Git Secrets is straight forward. Their GitHub Repository documentation is decent and easy to follow.
1. Clone the Repo
https://github.com/awslabs/git-secrets
2. Install Git Secret.
For Windows: Use Powershell as admin and run the below commands.
1. Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
2. ./install.ps1
For Linux: It’s just make install. Check the git repo for more details.
3. Start Using Git Secret.
Navigate to the place where your code is present & Install as shown below.
cd /path/to/repo
git secrets –install
git secrets –register-aws
// The above command will ensure AWS related secrets are not pushed.
4. Add Hooks
git secrets –install ~/.git-templates/git-secrets
git config –global init.templateDir ~/.git-templates/git-secrets
5. Adds a prohibited pattern to the current repo:
git secrets –add ‘password\s*=\s*.+’
// The above line ensures that no code that has `password=` is pushed.
// It will fail during the commit phase until the line is changed/removed.
6. In case you want to allow some dummy text after = instead of blocking it completely, use the below command
git secrets –add –allowed –literal ‘ex@mplepassword’.
Now, password=’ex@mplepassword’, will be accepted.
Run a Scan
Once installation/setup is completed, we can run a scan to check if the codebase exposes any secrets. Goes without saying but you will need to know “how” secrets are defined in your application.
I highly recommend to test Git Secrets via a Scan before making it live and enabling it for all users.
git secrets –scan // This scans files in a repo that are tracked by git.
git secrets –scan –untracked // scans tracked/untracked git files.
git secrets –scan /path/to/file // scans a single file.
git secrets –scan -r /path/to/directory // Scans a directory recursively
How to Test
After the initial setup/installation, every time a developer tries to commit to the git repo, the check will automatically happen and any secrets being pushed to the repository will be prevented.
Try it today
By setting up Git Secrets at both the repository and individual developer levels, we can easily add an important layer of protection that will help safeguard your project secrets. The return on invest is massive with Git Secrets with its easy of installation and Implementation.
Don’t wait for a breach to happen – Make security a natural part of your development process.