Skip to content
This repository has been archived by the owner on Sep 14, 2023. It is now read-only.

Create secretscheck.yml #225

Merged
merged 4 commits into from
Oct 2, 2022
Merged

Create secretscheck.yml #225

merged 4 commits into from
Oct 2, 2022

Conversation

jainkrati
Copy link
Contributor

@jainkrati jainkrati commented Sep 15, 2022
edited
Loading

Resolves #36

In order to check for accidentally leaked secrets/api keys/passwords, I checked out some existing solutions which we could integrate in our repo:

Considering the number of stars, frequency of update and ease of integration, I have integrated trufflehog for now. However, we can discuss more and I can update the PR accordingly.

harrysolovay
harrysolovay approved these changes Sep 17, 2022
View reviewed changes
Copy link
Contributor

@harrysolovay harrysolovay left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Trufflehog action looks tremendous. Does it protect us from instances such as the following?

forgot-to-gitignore.ts

export const ALICE_PUBLIC = "d43593c715fdd31c61141abd04a99fd6822c8558854ccde39a5684e7a56da27d";
export const ALICE_SECRET = "e5be9a5092b81bca64be81d212e7f2f9eba183bb7a90954f7b76361f6edb5c0a";

My hope is that––when PRed––this would result in a failing check, and a swift force push to the fork/branch could eliminate the secret from its history.

Sidenote: it'd be nice to have a git hook that does the same check locally pre-commit.
Sidenote: it'd be nice to scan the entire repo history as well.

In cases where we do want to commit/expose the secret (Alice is a commonly-known pair, after all), we could somehow allow it / explicitly pass validation.

It's unclear whether Trufflehog addresses this precaution (perhaps it does). Also, it's unclear whether this precaution can be appropriately addressed in the first place; after all, how does a program distinguish between a keypair secret vs. a scale-encoded hex, vs. some other string?.

Regardless of the answers to these questions, I think this PR is generally positive! Worse comes to worse, we can adjust the description of / back-log #36 (in which case, let's not prefix this PR body with the resolution cue).

@jainkrati
Copy link
Contributor Author

Updates :

  1. We add Trufflehog GA and after few weeks evaluate if Trufflehog is serving our purpose or do we need to replace it with a better one. Created an event for 4th November for the same.
  2. To exclude files for scanning (in order to push in some test secrets on purpose), we can specify --exclude-paths=EXCLUDE-PATHS as part of extra_args: https://github.com/trufflesecurity/trufflehog/blob/main/README.md#usage
  3. I will manually rebase commit history to remove all commits which introduced any kinds of secrets. Going forward Github action will take care of preventing secrets in code.

@jainkrati jainkrati merged commit 53fd5c1 into main Oct 2, 2022
@jainkrati jainkrati deleted the kratijain/password_check branch October 2, 2022 19:52
harrysolovay pushed a commit that referenced this pull request Oct 19, 2022
@jainkrati @tjjfvi @harrysolovay
Create secretscheck.yml (#225)
7a87213 
* Create secretscheck.yml

* add missing word

* Update .github/workflows/secretscheck.yml

Co-authored-by: T6 <[email protected]>

Co-authored-by: T6 <[email protected]>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@tjjfvi tjjfvi tjjfvi left review comments

@harrysolovay harrysolovay harrysolovay approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Task that scans for secrets / errors out during pre-commit
3 participants
@jainkrati @harrysolovay @tjjfvi