To participate in the stream go to https://www.crowdcast.io/e/detect-secrets-with-gitguardian-ggshieldTo counter the rise of supply chain attacks and software vulnerabilities, developers are now increasingly expected to enhance their security practices throughout the software development lifecycle. One vulnerability that stands out is hardcoded secrets – easily forgotten in code, hardly sophisticated for attackers to exploit. On average, 3 commits out of 1,000 on GitHub.com exposed at least one secret as reported in The State of Secrets Sprawl 2022. It’s time developers were given the right supportive tools to tackle this issue head-on!Join our next webinar and find out how we’re solving this at GitGuardian with ggshield, the open-source CLI that detects more than 350+ types of secrets. We will discuss:The story behind ggshield and the project’s governanceHow ggshield is built with developer experience (DX) in mindHands-on training – setting up ggshield in a pre-commit git hook The minimum requirements to participate in this free training session are python 3.6+, pip or pip3, and git.Did you know 🤔 GitGuardian has detected over 6 million exposed secrets on public GitHub in 2021 alone. That’s a 2x increase compared to 2020!Secure your seat now and enter the draw to win Amazon gift cards and swag bags!
so [Music] [Music] and here we are hello everyone welcome to the live stream i'm here with uh my colleague my favorite colleague actually uh welcome welcome eleon how are you today i'm fine you yeah yep i'm doing good i'm doing good uh always good to be on a live stream so um yeah very very happy to be here we've got an exciting one today now these are my favorite ones when i don't have to do anything too difficult um which is why i bring in my colleagues but we're gonna be looking at gg shield we're gonna be looking at how we can detect secrets using this tool it is a cli tool we're going to get a little bit further into that as as we go but we're going to be talking about not only detecting secrets in your git repositories we're going to be talking about detecting secrets before they get there detecting secrets in other areas like docker images detecting secrets and files directories and so we can kind of really be able to expand on our capabilities using this tool so let's get started now uh we're going to have we're going to be doing kind of hands-on demonstrations with all we have a couple of slides to get through at the start just because i want to keep everyone up to speed but we'll get through those hopefully relatively quickly because uh yeah it's live demos are much more exciting uh so just what we're going to go through today is uh we're going to look quickly at the state of secrets world report because just to refresh everyone's mind um about why secrets are important people are probably sick of hearing this if you've been to weapons before we're gonna be talking about where secrets detection is why developers should worry about uh sequence detection um we're going to be looking at gg shield we're going to look at how to use gt shield and then we're going to be doing some demos and we're going to be doing some q and a's so only one is one of the main contributors to gg shield so if you have any questions actually now is the time to ask the expert directly now as always there are prizes available in these webinars we've got some amazon gift cards today to give away so participate participate in the chat ask lots questions participate in the polls uh and you'll be able to do that now if this is your first time uh on crowdcast or if you're tuning in on youtube or twitch or some other stream crowdcast is the main platform down the bottom you'll see some buttons you can ask a question that's the best way to ask us a question because the chat can get pretty noisy there are some polls there so you can participate in the polls when they come up um so and then and feel free to to participate in the chat as well so just while waiting for the few extra people to come here to to jump on uh let us know uh let us know whereabouts you're tuning in from so uh i'm in paris in paris today uh which is good holiness i believe you're in paris too unless you've taken a sneaky vacation well i mean like 70 kilometers east of paris but i guess you live out you live out the countryside a man of luxury you have you have a backyard you have space something the restaurants don't have all right we'll see where some other people are tuning in we've got here from milan i was in milan not so long ago montreal we've got someone i saw someone tuning in edmonton paris lagos mexico usa clone bangladesh london-ish that's kind of like your paris ish yeah yeah [Laughter] tel aviv spain chile munich princeton's cologne again a lot a couple of people from cologne germany poland kristoff is that um i think i might know i know a different christoph from from poland might be the same person might not be but anyway oh it's great to see everyone new york it's great to see everyone uh tuning in from all over the world it's my favorite part of the webinar i do this every time people probably get sick of it but it's it's uh it's uh i quite enjoy it all right so we're gonna get stuck in we're gonna move on quickly now so uh let's take a little bit of a throwback to the state of secret sprawl this is a report that get guardian does we talk about secrets now if you're not sure what a secret is we're generally talking about digital authentication credentials api keys uh credential peers security certificates anything that gives access to external services or systems um now we monitor public activity for these secrets we found six million sensitive keys in github.com last year 6 million so that's just in public github so that's api keys that have been publicly exposed in github.com so this is a huge problem why do they get exposed because they end up inside our source code and we push that now attackers are also targeting private code repositories because these are a huge kind of bed of secrets and one of the reasons for this is that we have to remember that when we're when we're coding our version control systems keep track of everything so when we uh when we commit something if we commit a secret a year later that secret's still there unless it may be deactivated hopefully it is but it's still in that history so they're really hard they could be not visible so we have to be careful about this now we find all kinds of secrets so data storage access to databases 21 of that 6 million last year was was databases up from 15 the year before cloud providers so access to amazon um aws servers gcp servers you know very easy to to to use these maliciously even if it's a personal account you can rack up some pretty hefty bills by doing some crypto mining on these and a whole bunch of other things private keys development tools messaging systems version control access keys so lots of different things so we don't want these secrets inside our git repositories we don't want these secrets in our source code so we need to become alerted if they do we need to scan our get repositories but better yet if they don't even make it to our git repositories that's what we're going to be talking about today with gg shield so one of the problems with secrets is that it's very linked to developers so we as developers need to be very careful of how we handle these sensitive information so we have access to api keys we need them to access uh to test our applications to build our applications we have access to databases um so because we have access to the sensitive information we need to be really careful about where it ends up so just a poll here the first poll so down the bottom you'll see that answer for polls who here uses secret scanning in their cli in development so this isn't including if you have get guardian on your repository i'm looking about who's doing secret scanning in other areas using their command line interface um or or maybe some other tools maybe in your ci cd pipeline and now do you currently use gg shield um do you use any different secrets detection tools i won't be mad i promise i won't be mad you can answer honestly so travel hog or get leaks and do you do you have secret scanning on your repository but not anywhere else or do you just not scan for secrets at the moment let me know in the polls i'll have a quick look now at where we're heading up so actually we're tied at the opposite ends for for the moment so 10 people are using uh gg shield 11 people not scanning for secrets at all um so we can help we can help with that hopefully by the end of this webinar we'll all be scanning uh for secrets oh and we just jumped up 12 people don't scan for secrets in the cli but uh do use gegardian so that's good to see that we have some sequence detection in there see a couple for get leaks there are some good uh tools at open source tools out there like it get leaks but we're gonna we're gonna be focusing on a gg shield which is in my unbiased opinion the best [Laughter] [Music] what are you reckoning only on your unbiased opinion gt shield it's the it's the way to go as unbiased as yours yeah okay so let's have a look at what we're talking about when we're seeing saying detecting secrets in our cli so on the screen you'll you'll see two kind of categories here we've got our local environment and our remote environment so our remote environment is kind of if you think about it let's say our remote repositories get repositories when a secret enters our remote repositories that secret is compromised you know we need to be looking at revoking uh that secret uh even if it's a private repository that could end up on multiple different developers machines it could be backed up areas we've lost control over where that secret is but that's critical that's where we need to know where the threats are on our local environment it's different if we can detect secrets on our local environment so uh for instance when we create a commit or when we push a commit or after we've pushed it but before it reaches our remote environment that's different because that secret hasn't been compromised yet we don't need to rotate that secret because it hasn't been exposed anywhere we can simply remove that maybe we need to change our git history a little bit there but we can move forward remediation is so much simpler so that's what we're going to be focusing on how can we detect secrets before they get to our remote repositories now if you're not familiar with get guardian get guardian is a tool um we've got a sas platform we're free for small teams and we detect secrets on that remote repository we integrate with your git lab but once we detect them they're already compromised gg shield which is our open source kind of version of that is about detecting them before we get them and detecting them in other places so uh leon why don't you give a very brief introduction what what is gg shield how how does it work okay so gshield as you said is a cli tool to scan your repositories and it has lots of different scanning modes you can scan files you can scan docker images you can scan pi by packages you can scan your commits and more importantly you can integrate teacher shield inside your git workflow your local git workflow so that you catch uh secrets before they leave your machine right so with gt shield we're not we're not we're not so focused on just get repositories we can we can literally take that detection engine from guardian and we can integrate it elsewhere so we can scan a file we can scan a directory we can scan a docker image so we're basically making a more mobile version of that detection that we have uh guardian that be a fair statement yes right it's almost like i had that prepared [Laughter] so gt shield is is open source uh it's on um it's on github so you can contribute to it you can see the source code for it uh we use the get guardian api to actually scan the secrets so the one disadvantage to ggshield is that it does need to be online because the get guardian api still needs to ingest that data and it will return a result but gg shield is really powerful in the sense that it is a wrapper that allows you to do lots of different tasks using that uh that api so we're celebrating our second year anniversary i think we just crossed a thousand stars on github so congratulations congratulations everyone oh y'all for for that big milestone um you know if you're feeling so kind you can find gg shield on github and give it a star the the marketing team will love you for that github stars are a bit like currency sometimes and of course we're open to contributions so if you have a specific use case for being able to detect secrets somewhere uh in a specific environment in specific infrastructure the chances that someone else is going to have that need as well so we'd love to hear from you and would with absolutely love uh contributions so please um please feel free to kind of be part of the gg shield team we do give out cool swag to the contributors and people that are active in the the community there all right so where and how do we use gg shield in the cli for developers so this is a similar slide to what i had before so when we're talking about integrating into our development workflow what we're really talking about too is being able to detect secrets in a couple of key areas we can use it as a pre-commit hook so this is when we make our commit it's going to check it it's going to scan that commit for secrets if it finds one it will alert us and it will block that commit so that commit won't be added into our local uh into our kind of a local staged environment we can remove that key we can redo the kibit and we can move forward we can detect sequence in a pre-push way which is um which is basically scanning a group of commits but it will block that push if it contains a secret just as it did before and we can actually use a pre-receive hook so this is where it's going to block it from entering into our server but it's after we've pushed it so we'll talk about a few of those and some other other functionality as well in our demo and we're going to show you how to set up gg shield and how to to move forward from there so one of the big questions that we have the battle of the hooks should we go for a pre-commit or a pre-push hook so all what what what team are you on pre-commit or pre-push mostly on a pre-commit because it avoids uh it makes rewriting history simpler because you you judge the the error just as you made it you don't have to go back with the downside that you need the internet connection to scan your commits so it's not really appropriate if you're offline okay uh i'm i'm not on team pre-commit i'm on team pre-push explain why so as you said when we're on team pre commit it has to scan every single commit but when a pre-push it scans that group so it reduces the amount of scanning that you have to do and because we need to be online to push um we you know we're guaranteed to be online so that it's going to work fine there is a key disadvantage though for a pre-push as i said if there is a secret there i have to rewrite my history because it's already in my local history of my git repository i have to go back rebase change my history so a little bit of a pain but if you're not committing secrets that often don't have to do it that often so you know i feel like i feel like if you get that far you deserve a little bit of punishment but then that's just me it would be the night so what about the pre-receive hook can you explain a little bit what the pre-receive hook does so i understand pre-commit pre-push they're fairly self-explanatory what's pre-received so progressive is working on the sell side that is when you push the code leaves your machine and goes to the repository on the server side and the prereceive is on the side of the server so it can stop things before it gets to the remote repository but it's only possible to set up this on certain configurations you need to own your own kit server basically so it's a bit more complicated right so if you're using the free version of github for example uh difficult or impossible to set up a pre-receive hook because you can't adjust that server configuration yes got it okay but if you are running github enterprise or um some other on-prem versions of git lab you can set that up which is very helpful because it basically can enforce um you know enforce some stops of secrets actually getting committed um and also some other areas too if you're using ci tools so circle ci github actions jenkins we can put uh gg shield into these as well so we can actually uh add uh add gg shield into these setups why why why are we looking to kind of add these add gg shield into the ci environments early on why is that an advantage well not all comments are created by developers on the machines so nowadays cis are getting smarter and smarter and they do more and more things so you want to ensure that they do not accidentally commit secrets themselves so it's important to do that here and see i also well if you do not have access to the pre-receive hooks then you can use the ci to act as a privacy that's what we do with the git of actions for example so if you block your your commits to the main branch and require that people open pull requests to to commit on your github browser for example you can set up a gg shield as a git of action and it won't accept the commit if it contains a secret but at this time the secret is already off online so you would need to revocate and do more remediation than if you cook right so it can prevent the sprawl of that secret but that secret still compromised in that scenario you just outlined yeah at least it won't the code won't reach production hopefully but yeah you have more work to do all right so good news everyone we are now at the end of the uh the powerpoint so we can switch on to some demos so um if you want to follow along with these with these demos what what are some of the prerequisites that people should have uh installed uh you know getting started here i think we need python uh installed is that correct yes python and the git command line tool which you most likely already have i think that's about it okay python git command line if you have those things uh set up then you're ready to go the other prerequisites that we need will add to so uh i'm gonna add your stream your shared uh your your screen share there we are i'm finding my english words uh to to the screen now um i'm and i'm gonna leave it in in your capable hands and um and i'm gonna be monitoring the chat uh two now um and the questions so if you have questions as we're going i'll try my best to see them and interrupt only on and ask the questions okay so let's start by installing digit as i said gshield is a python application so you can install it with a pip installed and if you're if you prefer this we also offer alternative systems we actually have rpm or dead packages nowadays and it's also available via ombre as you can see here on the installation site anyway we just installed let's check it once yes we have the agent version if you if you are getting an error with this too you might want to try pip3 install because i get that error when i use pep install so uh if you're getting an error for pip installed you can do pip three just just a quick a quick uh yeah quick note okay so let's go in one of my demos [Music] three so here we are on the very simple smooth tree and if you look at the configure pi you can see that it has something which looks hopefully like an aws key so this is inside this is inside that configuration py file that you have here [Music] uh the simpler one is puff but if i do this it's not going to work because it's going to say hey i don't know you so before we had to do some damn traffic tokens and things like that but we recently made this a lot simpler so what you're doing now is is generating an api key for get guardian so to be able to communicate with the get guardian api is that that's correct yes so as you can see it opens the [Music] credit card and website and since i was already logged in it generated the token for me and when you go back to the site you can see successfully are at now authenticated deal token with this name so now i can try my command again and boom on that secret so we know we can address this now we can also scan world directories if i add dash r for recursive telling me that it's going to find scan free files um surprise there is another secret this developer is really careless if i look at this ci dot channel whether it's in the basic format for a ci system and we can see that there is a cover also can see right here which was cooked here and both are invalid so what we're doing now is scanning through directories we're scanning through the file systems on your computer to try and find design secrets what's that what's a good use case for for needing this and and is this the same as if you're scanning a git repository is what you're doing now the same as scanning that git repository well this scans the tip of the of the repository as in its chance the repository in its current state but it doesn't scan the history so you might be missing some secrets here and let's move on to another example here we have oh this is a rust example to change it so i'm going to do the same thing to scan all the adversary and say mean that it's going to scan 45s and whoa that secret has been found that must be good but if we scan if you use the scan repo command instead it's going to scan all the comments so if there was a secret committed and badly removed then it's going to find it as you can see it got my secret let's have a look more precisely so here i'm going to open the history of my command and we can see that he found two commits interestingly with the real secret so what happened here is that this is the first comment from here in this commit i added crates that i own key and then i say oh that was a mistake so in the second commit i removed it and replaced it with something which i just will get from the server but uh gg shield noticed that the two patches still contain the secret so this is bad now like we need to remediate this luckily here the mediation is very simple you can do it it if i just squash those two comments then i will have something cleaner so let's just do this and i'm going to look okay and say okay get the pass release the flash i like this and i'm going to squash those two points hey my ci configuration so now if i look at my history again there's only one commit and it only contains that i referred to create io defined somewhere else so if i scan again this can go it's going to be happy [Music] so i just want to make a quick clarification on what you did there because i think it's really important what you showed and that is that when you scanned the directory and you scanned the top layer of that of that git repository it didn't find any secrets because as you showed the developer removed them or basically committed over them so they weren't visible on that top layer but then you changed the command from instead of scanning the directory to scanning the repository which scanned the history okay so right okay so let's move on and now we are going to look at three comments and so now so if we look at the redmi or gt shield we can find that somewhere it's sorry okay area so free commits are little scripts that are run at no sorry git hooks a little script that runs at key moments in your development workflow and one which is very important is the pre-commit book which is run right before you commit you can create free commit books yourself but it's often simpler to use the pre-commit framework which we are going to install now so we will start by bringing my next repository and install pre-commit so pre-commit is a separate framework that we're installing that's basically going to help us handle creating pre-commit pre-push hooks um in other areas that's right yes and so now i'm going to follow the steps and create a pre-commit.tml file here and copy the content of this file so now in this repository let's look at what we have we have a basic readme and a dot pre-comments dash config and now that it's done so we can oop sorry a commit install is going to uh look at this dot pre-commit config and set up things for us so we can say that it created a file named free commit in the that kids slash books repository this is where all the books are let's try to add a secret so i'm going to create my config pie and i'm going to copy the same secrets we saw before beautiful and here we see that uh qrikomit is installing our free commit hook this is the this only happens the first time you set up the pre-commit next time it's going to be much faster and of course my network has decided oh and we can see that pre-commit ggshield free commit failed because it found our secret so it blocked the commit and if we looked at the status we can see that it's still added honestly it has not been committed and sweet so what we don't have to rewrite i get history at this point now do we because that commit hasn't been staged right that's it so we are saved and now let's say that you're a team pre-bush team pre-push yes [Laughter] so for team creeper she needs a slightly different configuration here we're going to add approach here and we actually push here as well this is the yaml file this is the pre-commit yaml config yml file right that you're editing right that's it yes and then i'm going to uninstall so you remember that the pre-commit created a free commit file here and i'm going to uninstall this one as you can see it does not exist anymore [Music] right so we've deleted our pre-commit and we've installed the better hook the pre-push hook [Laughter] yes and if i look here it's okay well done my coffee file is not commit but it's not but if i just push then i'm getting caught by the pre-push police um my commit didn't make it to the remote repository great great that's really cool we are still safe okay um so what else can we show we can also uh show the github action we have a question here that uh that's coming up um people are wanting to know um it's coming back you know what what what is the tool that you are using to view view the commits oh it's called tig there are some people in the comments too that are on your side with the pre-commit cricut hook so it's all right it's all right i won't blame them [Laughter] okay okay so let's move on to the kitten action and for this we are going to make a few changes on the server side first as i said earlier detection is only really interesting if you have protected your branches so that you have to open pull requests to so to make your code go in so i'm going to do this now and i'm going to move to [Music] but is this is this similar to other ci environments so would this be similar process to say circle ci or or other or bit hub bit bucket uh pipelines is yeah similar in terms of concept yeah yes basically you want to prevent things reaching your main branch and have i actually go through an approval so that your shield has a chance to put it in between so i'm going to go to the branches here and add the roll and i want my last branch to require a pure request and create a home hey so my master branch is protected let's see here i'm going to connect my last branch i'm going to remove [Music] the right one and install the pre-push pretty commit the book sorry and now my push should go through i'll accept oh except i failed or something haha demo effect why did it it shouldn't have existed like meat this is this is why i live demo so never never never worry a snake change wow maybe i was not doing the right thing that's correct interesting uh so i have a secret here that's bad okay let's and this is one a good reason to push force things ah now now it doesn't want me to push anymore okay now so i guess i was too fast and now it's protected okay let's remove the protection that's an interesting thing oh maybe actually see i need to keep the whole thing [Music] there we go okay so huh uh let's try this again so you you're just a bit you're just a bit a bit quick there i think i don't think github is quite processed you process your requests [Music] maybe that was also why i could because by default the administrator can bypass some rooms right okay and as you're the administrator this is a good this is a good this is a good example of even though when people think they have protection set up how they can still fail uh and this is you know in this case and you know a lot so accidentally leaked a secret so yes that's a good example of a secret accidentally going live in front of lots of people okay so let's try again hopefully i'm going to put like my secret secret i'm not really this fine yay see now the protected branch hook declined the thing so i need to open a full request and now so now we are going to continue the setup and to set up this the github action we need to go to another repository which is detailed dash action and this explains that we need to create a workflow so uh github actions are defined using german files like this one so this is very similar to the yaml file you set up for the pre-commit and pre-push hooks well i mean it's different but you're describing what you're wanting to do with your detection yes so [Music] github um us create those things directly online so that's what i'm going to do configure a new workflow and i'm going to copy past this and replace the whole thing here boom so we can see that this it's going to run and push and on pull crests but it's a bit limited and push because it can't fail the push so it's that's why the pro request is very important and one important thing to notice is this part which specifies the api key to use just like before we had to authenticate using gg shield both login we did something similar here but we still use the old version of your of creating an apigee and obviously you don't want to copy past it here because you would lick your git guardian api key that's very good so we need to add the api key somewhere else so that github knows it's there but we're not exposing it in our repository right and we're going to do this from the settings and of course i need to create a new branch because now i can't commit my master and so yes as good as it can be and i have a i have to request here the thing is uh right now it's i think it's not going to run let's see because the ci tml has to be inside the inside the main branch to take effect okay so uh well i can't commit because i insisted that all to administrators really needs to be needs to sorry requires a problem so let's relax things a bit just because it's you know sorry it's a little bit cumbersome but well we'll see and now wow i have this special thing to have right okay so now if i look at my code here i can see that it created a dedicated workflows and a ci channel but i need to set this key so um i need to go to my dashboard to do this but it's uh i'm going to i'll remove you i'll remove you from the screen to do that okay so you go ahead your screens your screen's gone so you won't be leaking any secrets that's good but as as um as we said at the start because oh you can sorry yeah let me like tell you when you can put me back and it's not dangerous for anyone let's see i think we're good here can you put me by just a second so i just reduced the thing so you can't see too much but basically here i'm logged on my dashboard and i clicked on api and then on the new personal access token so this is the old way of authorizing the gg sheet so i add the scan option which is required for judicial i'm going to say that this is for my ci here we go and my token is displayed here so i'm going to copy it to the keyboard and uh go back here yeah can you bring me back you're back okay yeah i'm back and i will ask you one more time but so if i go to secret actions here are where i can define the secrets that is referenced in the yammer file so you can go new secret and here and api key as you remember this is the name we found here and now i will ask you to hide me again no problem secrets yes you can bring me back that is very nice so as you can see now we have a repository secret added here and we can try to find the pull request and see if it catches our problem so here i created a on master but that didn't work because it was not allowed oh get me sorry just going to bring back the branch protection so that we play by the there rooms go okay so now what i'm going to do is create another branch and say okay okay so i can't commit in master and i'm going to create a branch and add config and since it's uh it started from master it already uh complained uh my bad commit the secret one and i'm going to push this one so you're pushing a secret to the to the remote server now yes uh using the new branch and okay my new branch has been pushed so at this point the secret is already public so you would have to remediate it and github helpfully tells me in the remote messages that i can create a pull request for this new branch by clicking here so this is what i'm going to do uh yes i'm going to add a secret create good requests and hopefully if everything goes well we are going to see sei but it's not really happening [Music] interesting [Music] we have two of your rounds here so why is it not there [Music] let's see maybe i made some stupid mistakes well we can already look at this one [Music] scan it from the thing this is probably not good baby this thing is having a hiccup let me check what we did again oh that looks good live demos yay is it this with the brand prediction or is it the ci is not running is that what's happening really i have no idea what happened here but uh something is wrong and uh i think maybe we can preview it for him now everything ah [Music] the request come on no it doesn't want no i would have to investigate why it didn't [Music] uh can we can we make the the action run without the branch protection make a um a commit with a secret in it just to see the action blocking just see the just to see how the action displays um let's see [Music] but the thing is i can't trigger it again from here but i could make it i can make it possible to trigger it manually i wonder if this name would be wrong hello can you hide my screen just a second yeah sure i'll go in and uh while you're figuring on that i'm going to answer we're going to go look at some questions that we have here [Music] so how do you enforce developers to run on the ci and the client side this is a this is actually an interesting question that we that we get a lot and the problem is that you can't this is the problem with client-side sequence detection so client-side sequence detection um can be bypassed pretty much you know it's always you can enforce at a pre-receive on the server but you can't really enforce that your developers uh do that and even if you install the pre-commit hooks on all developers machines that becomes a policy when you roll out a laptop you can bypass pre-commit hooks very easily by just adding dash n at the end of your commit so this is this is the problem of why we fundamentally need remote server detection but client side detection is fantastic because we prevent it but we can't rely on it so hopefully that that answers that question since it requires a connection to get guardian what type of data is transferred to get guardian server or are we only pulling uh the logic down so gg shield used to be uh completely stateless it's not we don't store the secret so if a secret is detected that secret is not stored anywhere on git guard again from the api what is stored though is what is stored is the type of secret that it detected and and the reason why this is is that if you're managing a team and you're wanting to look at the secrets of your findings you have your get guardian dashboard set up you can see how many secrets are being stopped on the client side what secrets they are but you can't see the secrets themselves so there are there is some data stored there we're not completely stateless on that api at the moment so hopefully bret that answers uh your question there as we go through can you specify which of the features are on the uh are in the on prem version versus the public version we are using today so uh i'm assuming you're talking about guardian so everything today there's there's no features of gegardian that's um that are just available on the on-prem version if you have on-prem get guardian then uh the advantage is that you controlling ggshield as well it's that's also installed on-prem um but there's no features that you're that we're missing so every for everyone that's asking the the session is also going to be uh recorded and i have some other tutorials on a youtube channel so if you type in get guardian onto youtube you will see some tutorials on how to do uh what we've talked about how to set up github actions there actually need to be redone because we've improved our authentication process so as early on showed at the start we actually um uh we actually no longer need to do that go on to the dashboard and create an api key we can do that can we use gg shield post commit well you can use gt shield with any data but you can use it in a pre-receive area or you can use it on your ci environment but um the the so you can use it in different places but the the problem is that those secrets are still exposed uh at that point um are there any comparison studies done uh on gt shield and its competitors to see [Music] types of false positives and things i don't think i don't think a comprehensive study has been done we've talked about uh uh we've talked about it but it's always uh it's always very challenging to know to be able to even get accurate measures on that because uh one thing that we're very good at guardian is removing false positives um but uh you know that it can be difficult to create a comparison for that but i'll definitely invite you to to have a little bit of play yourself and see what happens the problem with evaluating this is that uh get guardian unlike other people does do lots of cool things to improve our results now these things include validating secrets so if you like an aws key we'll check that it's a valid aws key if it's not um or if it's not a valid slack key then we might not flag that so if you're using sample data it is always challenging because sometimes it will appear like we've missed something but that's just because we're validated and we've found out that that's actually not a real secret it's not posing any threat so this can be hard to do those comparisons too python is required uh for gg shield tom uh for you asking if you use gt shield in the past what were the challenges friction points you had to overcome let me know in the comments oh that was from me i should have looked at the name secret scanning in gitlab yes you can uh you can scan secrets in gitlab so get guardian natively integrates with git uh gitlab but if you want to use gg shield then you can also install that uh on on the areas um i feel a lot of people don't think a secret is compromised when putting it in a private repo uh how can you explain it to them that it's not actually the case well there's been a lot of examples a lot of use cases where source code has been involuntarily open sourced so twitch last year as an example samsung nvidia microsoft or this year from lapses all of these companies have had their secrets uh exposed uh well not their secrets there's their source code exposed and inside that is secrets we've also seen in the code cov supply chain breach i can't explain that completely now but where uh where companies like hashicorp rapid7 had their private source code accessed through a supply chain through a third-party tool code cov so that's really interesting because it kind of shows that people can access your private source code through different methods and in addition to that there is very few people that you want to have access to all your secrets if you and probably no one should have access to all your secrets right but everyone has access to your source code even your interns your developers your product managers all of them have access to your private source code so we're when you're looking about that okay our secrets exposed well you have no control over who has them their source code is going to be cloned into multiple different areas and basically you've lost complete control if a secret ends out somewhere it shouldn't you have no idea about it so that's why private repos are not safe to store secrets so please don't please don't well nearly everyone does i've large companies still uh use that but a but sure um what would be the best way to report outdated documentation uh to the team or you can report to to to me um i think ollion's done too i can see him so i'm gonna i'm gonna bring him back but support getguardian.com there's an email address uh or you can um you could probably raise an issue on github we'll try and rectify that as soon as we can if we can okay are we are we ready can i bring your screen back okay yes you can so uh what was missing is this one requires to just check to pass before merging so i check this then the google quests run to check and thankfully it failed and if we look at the details we can see the same output here with the secret we found so now we are uh happy that the secret response and we can as you said as i said it's been leaked now so we have to remediate it i'm just going to do this and assume that we are going to import here [Music] so we're removing the secrets from hard coded adding them as environment variables which they should be so now there's no secrets in that i don't want to just commit and create a new commit i need to rewrite the other one so that so that's why i'm going to use git commit to commit and you want to create a single commit with the both changes and if i look at the history now i see that i'm doing something nicer and then if i now i can't push because obviously the branch on the other side is not the same so i have to push force that's what happens when you rewrite this so you know it's been published you're forcing the the remote version to match your local version that's that's what you're doing there yes i can see that the check run starts yes but actually what's important to know through is that even if you do this you're not fully safe and you need you would need to rotate the secret anyway because at one point the secret was on the internet here and you can actually pull it if you still know the sharp for the the secret itself you can ask github to remove them but it's it's still too late okay and [Music] let's see this gets started maybe it was just slow anyway well i think we can get into um some questions now um a bit more because we're running out of time but uh don't fear if you've missed any of this um there are videos this will be on youtube and there are tutorials on how to do this plus other things like scanning docker images with gg shield um so for sure um we have some questions in there how do we how do we how do we scan docker image docker secrets using gg shield so i prefer i don't have time to to show you but uh well you know how do we do that is it possible oh actually i can show it it's quite fast if you're not getting me back so appreciative secret can you see here there are a lot of things and i can say so this is how you would do it if you were not using my demo user who is not allowed to run docker right hey but but secret scan docker and then the docker image and that will scan it and can you and you can pull yeah so that and if you can you put can you scan them from docker docker hub for example can you pull it down scan it in one command yes that's what the command does actually let me switch to a user with more power [Laughter] okay right and now we're scanning the docker image oh that's great invalid api we don't have the key there oh it's all right we'll we're prepared for that one yeah um what we had some questions here from manuel what is the best practices to to share secrets with the team how how do you share actual secrets with your team okay so uh there are different approaches here uh one of them is to get them from the environment but then that doesn't really answer uh how do you put them in the environment in the first place and in guardian we use the ashley vault to securely share secrets and there are other tools like that um that's what i would recommend yeah this is actually a hotly debated topic too because there really isn't any perfect answer because vault is a very heavy tool you need to be quite mature to to to run it and manage it but there are ways some people like to encrypt them install them in git uh this is technically a very bad thing to do because the the encrypted version still sprawls so your secrets are encrypted but the encrypted file you lose track of i personally don't think that's terribly bad if you're a small team but there are different levels of maturity some people share them with secrets managers some people use share them with password managers um i think i think it really depends on on the situation the best practice is vault or a key list or some specific management tool but you need to look at what's going to work for you and the reason why i don't always think that the the best solution is the right solution is because you have to be willing to use it if it's too complicated you will bypass it and it becomes useless so find something that actually works for you um uh yes well i think that we're um we're oh we're actually gone over time but thank you thank you early on for for for your time here super interesting the replay will be on youtube as i said there's some other videos on youtube around judyshield as well and we're going to be producing a lot more content um so yeah now yeah just for the record uh if you bring me back you can see that the check has now passed okay yeah we are ready to move we're ready to move it just took a little bit of time for github to catch up um all right so there was some prizes to be won um i will uh i will i know we're running out of time so i'll just quickly see if there are some people here we are uh so the people that have won amazon gift cards andre k um congratulations and also um uh matt rodriguez so andre k matt rodriguez i'll be contacting you i'll send you out the amazon gift card that you won and uh look forward to seeing you guys at the next webinar um so please keep an eye out for that and also uh please let us know in the chat section there write us a little comment as to what you would like to see on other webinars as you're a topic you would like to cover so please let us know um and also uh the marketing team will kill me if i don't say this there's a button down there that says star the get the gg shield repo so you know come on give us a little star give us a star it takes a minute but yeah so congratulations to everyone thank you oleon and we're a little bit over time so i'll let everyone get back to to their days but thank you for tuning in and i look forward to seeing you next time thanks everyone