CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

How to create a pre-push git hook to detect secrets like API keys & credentials

Secrets like API keys and credentials can create a huge security risk when they get leaked into remote git repositories. Secrets inside git repositories must be considered compromised and revoked immediately, this is why it is much better to detect secrets before they enter your repository. This tutorial runs through how to create a pre-push hook that will run after the ' git push' command and block the push if any commits contain secrets. Links Pre-Commit framework: https://pre-commit.comGgshield GitHub repository: https://github.com/gitguardian/ggshieldGitGuardian Dashboard: https://dashboard.gitguardian.com GitGuardian website: https://gitguardian.comTimeline:0:00-Intro0:30-pre-commit vs pre-push git hooks1:38-Installing pre-commit framework2:24-Creating the pre-commit YAML file4:19-Installing the pre-push git hook5:00-Getting a GitGuardian API key6:46-Creating your .gitignore file7:35-Testing the pre-push hook9:52-Ignoring secrets and files with GGShield12:57-Wrapup

Video Transcript

hello and welcome to another video now previously i looked at how we can use get guardian cli tool ggshield to implement a pre-commit get hook that will detect secrets and block a commit if there is a secret contained somewhere in that git commit today we're going to do something similar but we're going to be installing it as a pre-push hook now there are some advantages and some of disadvantages between pre-commit and pre-push the main one is that we can make a lot of commits before we make our push to our remote repository and scanning all of these can be a bit of a blocker particularly if we we're not handling them correctly so by installing it as a pre push hook we're actually scanning it at a point where we've got a collection of commits and we're going to scan all of them in one go so it shouldn't be a blocker for the developer now the disadvantage of this is that even though the secret doesn't reach a remote repository which is a good thing it is still inadequate history which means if we do detect a secret we're going to have to clean our git history locally doesn't mean we have to revoke the secret we would if it entered into a git repository but it does mean we do have to adjust our history and do some rebase and i'll do another video on that step later but for now we're just going to look at how we can set this up as a pre-push git hook so again we're going to be using the pre-commit framework so the first step that we need to do is install the pre-commit framework so i'm going to use pip to do this so pip3 install pre-commit okay so we have installed that now now at this stage we can also install ggshield if we want to use some of the additional features but it's not actually required because the pre-commit framework will still install gt shield in that instance and it will run as expected even if it's not installed locally on your machine so now that we've installed the pre-commit framework we can create a pre-commit configuration yaml file so inside our repository i just have a very simple example project here we're going to create a file called dot pre [Music] pre-commit config dot yeah now i know we're installing a pre-push hook and i've just created a pre-commit yaml file but that's just because the framework that we're using is called pre-commit not because we're creating a pre-commit hook a little bit confusing okay now we're going to open up this file we just created and we're going to add some code in here that's going to describe the hook that we want to create now why we're using the pre-commit framework and not installing a generic git hook is because using this framework it's quite powerful because we can create layered git hooks we can do multiple different tasks and we can describe them all in this one yaml file so you can head over to the pre-commit website or github repository to find out what other actions you can take right now we're going to go across into the gigi shield across into the gt shield github repo and if we scroll down we can go down to our pre-push hook and it's going to give us some code here so we're doing with the pre-commit framework yes we've installed the pre-commit and so now we just need to pull across this code now exactly the same way that i did this in the pre-commit video if you've watched it i'm going to change line three here so we're saying revision main that's just the latest version on our main branch but we're going to change it to an actual release number here so right now we're on v1 10.7 so we're going to put that in there v1 dot 10.7 so now that we've done that we need to install our pre push git hook so we can do this by running the command pre commit install then we need to add the hook type and we're going to put pre push we should run this and you'll see that it's installed our pre-push commit here at dot get hooks pre-push we can actually see that hooks and then we'll see we have our pre-push commit here so now that we've installed our pre push git hook we need to add in our get guardian api key so gg shield leverages get guardian sequence detection engine and this means that we can do validity checks on the secrets to ensure they're valid we can detect over 300 different types of secrets including different types of generic secrets but this does mean that we need to transmit this data via an api so to get that we need to head over to dashboard.guardian.com yeah you can create an account in just a few seconds it's totally free and we can head down to the button that says api now once we're in here we're going to create new api key so i'm just going to give this name pre push video we're going to add the scan scope to this we don't need to worry about the incident scope just yet and this has created our api key so we're going to copy this now we can add this api key as an environment variable in a number of different ways last video i used the export command just to add it into my terminal session but today i'm going to use a slightly better practice and that is to add it into a dot env environment variable file so we're going to create that file inside our repository.env and we're going to paste that api key and we're going to use the variable get guardian underscore api underscore key and what this does is when our pre-commits or our pre-push hooks are run it's gg shield is going to look for this environment variable file inside our repository inside our environment and it's going to load it in as an environment variable so this means that we don't have to worry about adding it to our bash rc or using the export command we can we can do it automatically this way but of course we do not want to leak our environment variable file this is now sensitive so we should always create a git ignore file so i'm going to open my dot get ignore file and we can see in here that i've just added a dot env file you can get some great templates off github for get ignore files i just have the one file and this just means that it's not going to be added into my git commit stash so i'm never going to link the secrets that are inside this environment variable file so a very important step if we're using env files so we've now installed our pre-push commit hook we've added in our api key and we've installed the pre-commit framework now we're ready to test our github so what i'm going to do now is i'm going to open up my file config.pui and i'm going to paste in here an aws credential this is actually a real credential but it doesn't pose any risk it's essentially a dummy key so it means that i can leak this with no troubles but it also means that it should definitely trigger an alert from the guardian engine right so now that we've loaded in that we can we can add this into a commit git add config.py and then we're going to create a new commit and we can see that this has been committed with no treble now this is different from the pre-commit hook which would have been blocked so we can go ahead and continue working within our project so i'm going to create some other files here just a couple of files that you may expect in a project like this and we're going to add these and we're going to add these in and we're going to commit these as well oops got the bell kit so we can see that these have gone through and in a real life scenario we'll have multiple commits but now i'm just going to go ahead and push these and see what happens so we can see that the pre-push command was run it failed now this means that these haven't gone to a remote repository and it also lets me know uh information about what has triggered the fail so we can see in our config file we have an aws key we also have a validity check so this is saying that this is actually a valid credential so if we were to randomly change some numbers this would change to invalid so we can see that we've successfully installed this pre-push hook now there may be a scenario where you still want to push this secret in perhaps it's a dummy or example credential or secret perhaps it's a false positive and you don't want to have to keep dealing with this so we have some great features from gg shield so i'm actually going to install gg shield onto my local machine now so i'm going to pip 3 install gg shield and that has now been installed but again this isn't required just to use the pre-commit hooks so this is cool if you want to rapidly distribute this throughout an organization then we just need to install the pre-commit framework and not ggshield but there are some other advantages to using features within ggshield for example i'm going to run the command now ggshield ignore last found and what this does is it creates a new file here called getguardian.yaml and when we open the up this has secrets that we essentially want to ignore or let through the detection process now the cool thing about this is it uses a sha token and not the actual secret that means that this file isn't sensitive in itself you can commit this file into your git repository so that everyone ignores the same secrets but we won't actually disclose any sensitive information about the secrets so we match up those secrets using a sha value so that's quite a cool feature and we have it here that we have at aws keys inside this config.py file so if i save this now we can actually go back to the last step and push and we will see that this time it's passed it's let the commits through because the only secret it found is on our safe list if you will now within this yaml file we can actually ignore secrets in another way we can ignore them in files themselves for example if i wanted to ignore all of the readmes that are in this i can run the command i can add into here the code and then all files that are named readme.md will be ignored and they won't be scanned so perhaps if you have example secrets in your readme files you don't want them to be scanned you can add them to this ignore list we can also add file paths in here for example if i wanted to add the file path here if i wanted to ignore all of the secrets in a file called examples then i can do that and now this won't scan any files that are in this example folder and lastly if i just want to ignore a specific file in a specific location i can add that specific file and its specific path into this file too so there's some ways that we can also ignore secrets using the get guardian yaml file so there you have it that's how we can set up a pre-push git hook using gigi shield i hope you enjoyed the video and remember good code is secure code until next time thanks everyone [Music] you