Closed r0mant closed 1 month ago
Looks like an interesting quest though looks like it has already been assigned would like to be part of the research or implementation.
After doing some investigating I found two tools that are well supported and open source.
Just to compare them from a UX standpoint
.gitleaksignore
gitleaks:allow
line can be added to flag the secret as safe.verified-only
modeGetCallerIdentity
resource)verified
detection rules (i.e. to test against internal APIs)verified
mode can reduce false positives by only reporting active secrets.node_modules
gives a lot of hits.trufflehog:ignore
line can be added to flag the secret as safe.Created a fake SSH key, TLS private/public key pair, auto-generated password, and canary AWS credentials.
Also did a quick test against all files in the teleport
repo to check noise levels and check the upper bound of the execution time. The check did not include git history only the files present in the latest commit.
Neither caught the auto-generated password but this could be configured in both to be more sensitive.
verified-only
enabled only 1 hit (canary AWS creds)We should use gitleaks
for pre-commit hooks.
While trufflehog
is very powerful and has a lot of really nice features for reducing noise that does come at a cost to execution time. With the extremely small commit I tested it against it took almost 15 seconds to run. It's important to also recognize that in verified mode it establishes connections which depending on network conditions could slow it down even more. It might be a good idea to look into trufflehog
for frequent scans post-commit but it could be too intrusive in the development process as a pre-commit hook.
@doggydogworld I agree with your assessment, let's use gitleaks.
We've decided to not do this for the time being given hosted Github does not support server-side pre-commit hooks and making this feature opt-in makes it far less effective. Github's builtin secret scanning on push should do fine for now.
Let's add a git pre-commit hook that prevents folks from accidentally pushing secrets to Github.
Research/investigate what options there are and implement this.