search

awslabs / git-secrets

Prevents you from committing secrets and credentials into git repositories
Apache License 2.0
12.36k stars 1.17k forks source link

Can't get any response from scans #235

Open orangeBiscuit opened 1 year ago

orangeBiscuit commented 1 year ago

Sorry if this is a stupid question but I have been trying for hours on end and the commands don't give any results for me. It displays the help text correctly but once I add anything to it (like --scan, --scan with file path, --scan-history etc.) it just runs and goes to next line in terminal without any indication of whether something happened or not. Even tried giving it a non existent file name and that didn't produce any error. Nothing at all. Did I make a mistake with hooks? I don't understand it but did "git secrets --install" in the vulnerable directory. Is this the correct way? Please help me understand this. I am new to it. seedlab Running - Oracle VM VirtualBox 16-04-2023 19_49_11

liniribeiro commented 1 year ago

This is happening for me too!

Almenon commented 1 year ago

I also had a bit of difficulty with this. I assumed it would work out-of-thebox, but git secrets appears not to work out-of-the-box. You need to register patterns for it to match against. See https://github.com/awslabs/git-secrets#example-walkthrough

There's also a convenient command for registering AWS patterns. For example:

➜  cat aws_creds.txt 
[foo]
aws_access_key_id=AKIA1111
aws_secret_access_key=AaaAAaA3aaaaAaaAa1aaaAAaa22CBAAAaaa1a1aa

➜  secret_test git:(main) git secrets --install

➜  secret_test git:(main) cat .git/hooks/commit-msg
#!/usr/bin/env bash
git secrets --commit_msg_hook -- "$@"

➜  secret_test git:(main) git secrets --register-aws
OK

➜  secret_test git:(main) git secrets --scan-history

d6e2b4ab97b6ce61427e1f24a091f28f2eda739d:aws_creds.txt:3:aws_secret_access_key=AaaAAaA3aaaaAaaAa1aaaAAaa22CBAAAaaa1a1aa

[ERROR] Matched one or more prohibited patterns
oscarenzo commented 8 months ago

For scan the current branch content I used this command (inside the git repository):

git-secrets --scan

Take in mind that this command will scan all the files that can be listed with this command (it shown in the documentation):

git ls-files

If you want to scan raw files you need to specify a path like:

git-secrets --scan /foo/bar

Here you can find the specific documentation for your case:

https://github.com/awslabs/git-secrets?tab=readme-ov-file#examples-1

In my case, I start customizing some patterns, I can share with your some patterns that I'm using:

patterns.allowed

# Pattern list to be allowed by git-secrets
(//|#)\s\bgit-secrets\b:\s.*$
(http|https):\/\/.*[0-9a-zA-Z_-]{34,40}.*
^(README.md|LICENSE):.*
^(.pylintrc|.yamllint|.editorconfig|.gitignore):.*
^.git-secrets.(allowed|prohibited):.*

patterns.prohibited

# Pattern list to be prohibited by git-secrets
# Gitlab token
\bglpat-[0-9a-zA-Z=_-]{20,22}\b
# Gitea / Cloudflare token
\b[0-9a-zA-Z_-]{40}\b
# OpenSSL certificates and private keys
\-{5}(BEGIN|END)\s(CERTIFICATE|PRIVATE KEY)-{5}
# Private openssh keys
\-{5}(BEGIN|END)\sOPENSSH\sPRIVATE\sKEY-{5}
# Jenkins token
\b[0-9a-zA-Z_-]{34}\b
# Sendgrid token
\bSG\.[a-zA-Z0-9_-]{20,24}\.[a-zA-Z0-9_-]{39,50}\b
# Basic authentication
(http|https):\/\/[0-9a-zA-Z_-]+\:[0-9a-zA-Z_-]+\@.*

Maybe so many of there can be improved but with this you can start to play :-), best regards.

NAs3c commented 5 months ago

Hello,

I have a similar issue. I created a test repository with git init'd and git add'd the following file :

$ cat secrets.default      
DATABASE_USERNAME=root
DATABASE_PASSWORD=root
APP_KEYS="appkey1,appkey2"
JWT_SECRET=secretjwt
NEWPROJECT_AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
NEWPROJECT_AWS_ACCESS_SECRET=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
$ git ls-files      
secrets.default

I then install git secrets for the repo :

$ git secrets --install          
✓ Installed commit-msg hook to .git/hooks/commit-msg
✓ Installed pre-commit hook to .git/hooks/pre-commit
✓ Installed prepare-commit-msg hook to .git/hooks/prepare-commit-msg
$ git secrets --register-aws
OK

Now, when I check the pattern registered, nothing happens :

$ git secrets --list
$ echo $?                                       
1

I point out that i git secrets --install'd and git secrets --register-aws'd on a another (real) project, which worked for registering patterns. But then git secrets --scan did not work :

$ cat secrets.default | egrep "AWS_ACCESS_KEY_ID|PASSWORD"
DATABASE_PASSWORD=root
REDACTED_AWS_ACCESS_KEY_ID=AKIA1111
$ git secrets --list
secrets.providers git secrets --aws-provider
secrets.patterns (A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}
secrets.patterns ("|')?(AWS|aws|Aws)?_?(SECRET|secret|Secret)?_?(ACCESS|access|Access)?_?(KEY|key|Key)("|')?\s*(:|=>|=)\s*("|')?[A-Za-z0-9/\+=]{40}("|')?
secrets.patterns ("|')?(AWS|aws|Aws)?_?(ACCOUNT|account|Account)_?(ID|id|Id)?("|')?\s*(:|=>|=)\s*("|')?[0-9]{4}\-?[0-9]{4}\-?[0-9]{4}("|')?
secrets.allowed AKIAIOSFODNN7EXAMPLE
secrets.allowed wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
secrets.patterns password\s*=\s*.+
secrets.patterns PASSWORD\s*=\s*.+
$ git secrets --scan
$ echo $?
0

Your project seems great and very helpful for achieving cybersecurity in AWS projects 👍. Please let me know if I can be of any help to improve it,