Giter VIP home page Giter VIP logo

Comments (4)

liniribeiro avatar liniribeiro commented on June 26, 2024

This is happening for me too!

from git-secrets.

Almenon avatar Almenon commented on June 26, 2024

I also had a bit of difficulty with this. I assumed it would work out-of-thebox, but git secrets appears not to work out-of-the-box. You need to register patterns for it to match against. See https://github.com/awslabs/git-secrets#example-walkthrough

There's also a convenient command for registering AWS patterns. For example:

➜  cat aws_creds.txt 
[foo]
aws_access_key_id=AKIA1111
aws_secret_access_key=AaaAAaA3aaaaAaaAa1aaaAAaa22CBAAAaaa1a1aa

➜  secret_test git:(main) git secrets --install

➜  secret_test git:(main) cat .git/hooks/commit-msg
#!/usr/bin/env bash
git secrets --commit_msg_hook -- "$@"

➜  secret_test git:(main) git secrets --register-aws
OK

➜  secret_test git:(main) git secrets --scan-history

d6e2b4ab97b6ce61427e1f24a091f28f2eda739d:aws_creds.txt:3:aws_secret_access_key=AaaAAaA3aaaaAaaAa1aaaAAaa22CBAAAaaa1a1aa

[ERROR] Matched one or more prohibited patterns

from git-secrets.

oscarenzo avatar oscarenzo commented on June 26, 2024

For scan the current branch content I used this command (inside the git repository):

git-secrets --scan

Take in mind that this command will scan all the files that can be listed with this command (it shown in the documentation):

git ls-files

If you want to scan raw files you need to specify a path like:

git-secrets --scan /foo/bar

Here you can find the specific documentation for your case:

https://github.com/awslabs/git-secrets?tab=readme-ov-file#examples-1

In my case, I start customizing some patterns, I can share with your some patterns that I'm using:

patterns.allowed

# Pattern list to be allowed by git-secrets
(//|#)\s\bgit-secrets\b:\s.*$
(http|https):\/\/.*[0-9a-zA-Z_-]{34,40}.*
^(README.md|LICENSE):.*
^(.pylintrc|.yamllint|.editorconfig|.gitignore):.*
^.git-secrets.(allowed|prohibited):.*

patterns.prohibited

# Pattern list to be prohibited by git-secrets
# Gitlab token
\bglpat-[0-9a-zA-Z=_-]{20,22}\b
# Gitea / Cloudflare token
\b[0-9a-zA-Z_-]{40}\b
# OpenSSL certificates and private keys
\-{5}(BEGIN|END)\s(CERTIFICATE|PRIVATE KEY)-{5}
# Private openssh keys
\-{5}(BEGIN|END)\sOPENSSH\sPRIVATE\sKEY-{5}
# Jenkins token
\b[0-9a-zA-Z_-]{34}\b
# Sendgrid token
\bSG\.[a-zA-Z0-9_-]{20,24}\.[a-zA-Z0-9_-]{39,50}\b
# Basic authentication
(http|https):\/\/[0-9a-zA-Z_-]+\:[0-9a-zA-Z_-]+\@.*

Maybe so many of there can be improved but with this you can start to play :-), best regards.

from git-secrets.

NAs3c avatar NAs3c commented on June 26, 2024

Hello,

I have a similar issue. I created a test repository with git init'd and git add'd the following file :

$ cat secrets.default      
DATABASE_USERNAME=root
DATABASE_PASSWORD=root
APP_KEYS="appkey1,appkey2"
JWT_SECRET=secretjwt
NEWPROJECT_AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
NEWPROJECT_AWS_ACCESS_SECRET=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
$ git ls-files      
secrets.default

I then install git secrets for the repo :

$ git secrets --install          
✓ Installed commit-msg hook to .git/hooks/commit-msg
✓ Installed pre-commit hook to .git/hooks/pre-commit
✓ Installed prepare-commit-msg hook to .git/hooks/prepare-commit-msg
$ git secrets --register-aws
OK

Now, when I check the pattern registered, nothing happens :

$ git secrets --list
$ echo $?                                       
1

I point out that i git secrets --install'd and git secrets --register-aws'd on a another (real) project, which worked for registering patterns. But then git secrets --scan did not work :

$ cat secrets.default | egrep "AWS_ACCESS_KEY_ID|PASSWORD"
DATABASE_PASSWORD=root
REDACTED_AWS_ACCESS_KEY_ID=AKIA1111
$ git secrets --list
secrets.providers git secrets --aws-provider
secrets.patterns (A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}
secrets.patterns ("|')?(AWS|aws|Aws)?_?(SECRET|secret|Secret)?_?(ACCESS|access|Access)?_?(KEY|key|Key)("|')?\s*(:|=>|=)\s*("|')?[A-Za-z0-9/\+=]{40}("|')?
secrets.patterns ("|')?(AWS|aws|Aws)?_?(ACCOUNT|account|Account)_?(ID|id|Id)?("|')?\s*(:|=>|=)\s*("|')?[0-9]{4}\-?[0-9]{4}\-?[0-9]{4}("|')?
secrets.allowed AKIAIOSFODNN7EXAMPLE
secrets.allowed wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
secrets.patterns password\s*=\s*.+
secrets.patterns PASSWORD\s*=\s*.+
$ git secrets --scan
$ echo $?
0

Your project seems great and very helpful for achieving cybersecurity in AWS projects 👍. Please let me know if I can be of any help to improve it,

from git-secrets.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.