CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

Secrets detection in the CI/CD pipeline | Detecting credentials with GitHub actions & GGShield

In this tutorial, we look at how we can prevent secrets like API keys and other credentials from being merged into git repositories by installing a GitHub actions workflow with GGShield (Gitguardian Shield). Automatically scanning commits and PR for sensitive information. LinksGGShield - https://s.gitguardian.com/ex1GitGuardian - https://s.gitguardian.com/62yWho is Mackenzie Jackson?Mackenzie is a developer advocate with a passion for DevOps and code security. As the co-founder and former CTO of a health tech startup, he learnt first-hand how critical it is to build secure applications with robust developer operations. Today as the Developer Advocate at GitGuardian, Mackenzie is able to share his passion for code security with developers and works closely with research teams to show how malicious actors discover and exploit vulnerabilities in code.What is GitGuardian?GitGuardian is the code security platform for the DevOps generation. With automated secrets detection and remediation, our platform enables Dev, Sec, and Ops to advance together towards the Secure Software Development Lifecycle.0:00-intro0:21-Tools0:33-Setting up GitHub Actions2:00-Editing our main.yml file4:01-Getting GGShield API key5:00-Adding a secret into GitHub actions7:00-Testing GGShield in GitHub Actions8:15-Results

Video Transcript

[Music] hey everyone this is mackenzie from get guardian and in this video we're going to take a look at how we can utilize github actions to implement some secrets detection in our ci cd environments now in this video we're again going to be using gg shield which is get guardian's open source cli tool to be able to implement this and we're going to run through the steps of how to do this so on my screen we have a very simple example project here nothing too special going on this one's in python but it really it it doesn't matter it's language agnostic and at the top we'll see a tab up here saying actions now we can do all of these steps on our local machine if we want to or we can utilize github's interface now the github interface is quite nice so i'm going to be using that but you can just create these files locally and still follow along so i'm going to click on actions and it gives us some options but we're going to set up a workflow ourselves so we're going to click this button here that says set up workflow yourself and then it gives us a kind of pre-configured yaml file so you'll see the location of this file it's created a folder called dot github and within that folder there is a workflows folder and within that we have our main dot yaml yml file and in this example that they've given us it's not really doing anything but it gives us an idea of how github actions in the yaml files work so if we go down here we have jobs these are more or less kind of the steps that we're taking in uh so you step here and you'll see that we have run a one line script which just spits back the command hello echo world like a bash script and then we have run a multiline script which sends back you know two two lines so this isn't very exciting but it gives us an idea about how these yaml files work so we can actually just delete this here which i'm going to do and then we're going to hop across over to the ggshield github page so you see this and if we scroll down we can see some instructions of how we can use gd shield and under here it says currently supported integrations we're going to click on github actions now this here is the code that we need and you may notice that it looks quite similar to the example code in the sense that you know we have names we have the jobs and it's basically a set of instructions which is exactly what it is so we're going to paste this in here and then we're going to start our commit so we're just going to commit these changes in so this is exactly like if we're doing this in our cli tool on our machine so create main.yml all right so we've now committed these changes into our repository now if we go back over into the actions tab we'll see that it's changed a little bit and it's already running a workflow on what we've created so it's found that uh file and it's essentially checking itself at this point and once that's done we can have a look and see what kind of response we get all right so it's been 29 seconds and we've got a failed result so this here so we're going to open up this we're going to have a look at why this has failed so it's failed on the step get guardian scan so this is the only step that we have but if we had multiple we could see why it's failed on different areas for the different jobs that we have set up different testing and different services that we're using so we get in here we get an area we get an error under the get guardian scan and down the bottom we can see why and the exception is that get guardian api key is needed now if you've used guardian gg shield before you'll know that it does leverage guardian's sequence detection engine which means we need an api to be able to communicate so next step is we need to get that api key which is very simple so we head over to dashboard.getguardian.com and if we don't have an account we can create one now we can log in using we can create one using github it takes about three seconds and down on the left we have an api tab and we have some different keys i've made before but we're going to create a new one we're going to call it github actions and we're going to create this key here now i'm going to copy my key now i know i'm showing you my key on the screen but that's just because i know i'm going to delete it later this these keys are sensitive so don't uh don't go sharing them on youtube like i am and we're gonna head back so now we have to ask ourselves the question of where do we put this api key now we know that putting secrets inside a repository is a bad practice so we don't want to commit this api key into our repository even if it's private instead we're going to be using the dedicated service that github has to store secrets for our ci and cd environments so under settings you'll see under security something called secrets and when we click on action secrets we'll say that there are no secrets for this repository so we want to add a new repository secret now github stores these secrets uh securely they are encrypted in transit and rest so it is still quite safe to store these secrets in here but it might depend on what your organization's uh what your organization's policies are so just check with that first we're going to create a new variable now the variable has to be get guardian underscore api underscore key and the value is the api key that we've just copied across from our dashboard and then we're going to add our secret in so this secret is now added uh into our project so now that we've added that secret we're gonna move on to the next step so we're gonna go back to our actions tab and we're gonna click on the failed action job and this time we're going to repeat this so in the top right you'll see a button that says rerun all scans so this is pretty self-explanatory so now that we've added in our secret into our github actions this should pass so we should get a big green tick to let us know that this has passed so we'll give it a few seconds yes so here we can see our actions have now passed so we can move on to the next step which is testing to see if it can find credentials and secrets so we're going to go back here to code and what i'm going to do is i'm going to commit a secret into our repository now this is not something that you should ever do on purpose or by mistake if you can avoid it but we're going to do it so i'm going to open up a file here called config.p and i'm going to edit this file now in this file i'm just going to paste in here an aws key so this is quite a sensitive key and so definitely not something we want in our github repositories but could be something that is in a configuration file uh such as like this so we're going to go ahead and we're going to commit these we're going to put updating our config file and we're going to commit these changes so we've committed these changes here and now we're going to go back to our github actions now this is running again everything going to plan it should still fail but it should fail because it's found a secret and it shouldn't fail simply because it doesn't have the correct api key to run so let's give it a few seconds and see what happens so again we can see that it's failed it took about 30 seconds to run and again obviously it's failed on our get guardian scan so we're going to open up this so it's failed at the exact same spot but now we have some more information so it says it's detected it has one incident found in the configuration.py file yes that's correct that's the file that we edited it's an aws key and it also does a validity check and saying that this is actually valid so this means that get guardian has communicated with aws and determined that this is a live active key now this is a really cool feature because sequence detection you can get a lot of false positives especially using kind of generic out of the box solutions so having validity checks can give you you know a lot a lot more power in determining what's a real very prominent threat and this would definitely cover that so now what we want to do is we're going to have to go back and we need to make changes into our repository we need to revoke this credential because it unfortunately has been exposed and then we can commit those changes and hopefully our check runs will pass that time now obviously in this example we've been using github actions and gg shield to basically scan uh when we've pushed to our remote repository so we've made a commit and then we've pushed it to our repository we kind of skipped those steps because we're using the github interface but we can also run these scans when a pull request is made so we can actually block pull requests that contain secrets so that they don't enter into the main repository which is quite a cool little feature so let me know how you guys are going setting this up if you need any help you can always reach out to me twitter or in the comment sections my handle is at advocate mac i'd love to hear your feedback and let me know if there's any issues so thanks for listening guys and stay tuned for more gg shield videos in the future [Music] you