Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using Template for Secrets Detection Guide #143

Merged
merged 4 commits into from
Mar 19, 2024
Merged

Using Template for Secrets Detection Guide #143

merged 4 commits into from
Mar 19, 2024

Conversation

riverma
Copy link
Collaborator

@riverma riverma commented Mar 1, 2024
edited
Loading

Purpose

  • Simplified guide significantly based on user feedback
  • Utilizing new SLIM best practice guide template format

Proposed Changes

  • [CHANGE] README contents
  • [FIX] GitHub Action workflow was displaying code output instead of executing code during scan

Issues

Testing

@riverma riverma self-assigned this Mar 1, 2024
This was referenced Mar 1, 2024
Closed
Closed
@riverma riverma requested review from a team and perryzjc March 1, 2024 23:47
@riverma
Copy link
Collaborator Author

riverma commented Mar 14, 2024

@NASA-AMMOS/slim-committers - any thoughts about this PR? Please review if you can so we can get this merged. CC @perryzjc.

@perryzjc
Copy link
Member

@NASA-AMMOS/slim-committers - any thoughts about this PR? Please review if you can so we can get this merged. CC @perryzjc.

@riverma: I will do it within the next two days. I just noticed this; I had been busy with school for a while. Thank you for the reminder.

@riverma
Copy link
Collaborator Author

riverma commented Mar 15, 2024

@NASA-AMMOS/slim-committers - any thoughts about this PR? Please review if you can so we can get this merged. CC @perryzjc.

@riverma: I will do it within the next two days. I just noticed this; I had been busy with school for a while. Thank you for the reminder.

No prob @perryzjc - thank you!

@riverma
Copy link
Collaborator Author

riverma commented Mar 19, 2024
edited
Loading

Hi Folks! @NASA-AMMOS/slim-committers and @perryzjc. I'd like to demo this reformatted guide tomorrow, so if you have any final comments please share. I plan to merge March 19th. Otherwise, just remember, you can always propose a PR to alter this guide if you have an issue with it!

ingyhere
ingyhere approved these changes Mar 19, 2024
View reviewed changes
Copy link
Contributor

@ingyhere ingyhere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great.

@ingyhere ingyhere requested review from yunks128 and a team March 19, 2024 16:44
@riverma
Copy link
Collaborator Author

riverma commented Mar 19, 2024

Thanks for reviewing @ingyhere.

@riverma riverma merged commit 4016bf6 into main Mar 19, 2024
2 checks passed
@perryzjc
Copy link
Member

perryzjc commented Mar 19, 2024
edited
Loading

Hi @riverma,

I just had the chance to review the PR and I have some comments on it. Overall, it looks good, but I noticed a few minor things.

  1. I observed the updates made by @ingyhere, which added more excluded files to potentially help reduce false positives. This initially seems helpful, but the same optimization could be applied to other parts of the document that also involve --exclude-files, such as one code at Quick Start, another code at Layer 1, and another code at Layer 2.

  2. However, including so many lines makes the command inconvenient to use and introduces repetitiveness for the document and maintenance difficulties. A potential solution to this could be to refactor the command about exclude files, making it read the content from .gitignore. Another potential way is to define a YAML config file to be used for the three layers along with more comprehensive excluded file list. This would not only keep the command short but also make it easier to modify to exclude more files and be more compatible with SDLC. What do you think? I am not sure about the feasibility, but I can do some research and experimentation on it.

Finally, a few notes for reference:

  1. Regarding History Scanning, the current detect-secret doesn't support this, but someone had tried to make a PR about this. The PR hasn't been finalized for 4 years, so it might still take a long time to see this feature. However, trufflehog is really powerful for scanning different kinds of resources for secrets, such as a history of commits, secrets from a GitHub org, an AWS S3, and more.

  2. A few imperfections about trufflehog include:

    • It doesn't use a secret management baseline approach, which is not very convenient for local and GitHub side automated scans, especially when handling false positives. That's where detect-secret is really helpful.
    • When using trufflehog, its plugin system is partially different from that of detect-secret. So, some secrets detected by detect-secret might not be detected by trufflehog, and vice versa.
    • Although not perfect, trufflehog still seems worth mentioning, as it brings value for large-scale scans over different resources, which seems valuable for the JPL community.
    • Other potential solutions to this might be making PRs/customized version to migrate regex of plugins at detect-secret to trufflehog, such as IP address detection.

  3. I love the section about "How are commits containing secrets removed permanently from Git history?". It's really concise and introduces two ways of removing history. My question is, do you think it's worth having another document to elaborate more on this part (a potential future work)? A few references about this are some of my previous experimental uses of git filter-branch.

  4. For our customized plugins, some of them look good for Yelp/detect-secret reviewers and are prepared to be merged, such as IPV4 Detection. Some of others, are being suggested for some updates for better use, such as the Email Address Detection. So there are also some potential work to do for me.

I hope this comment is helpful. It outlines some potential work that could take time to complete. I can assist with it based on needs and priorities. My school is about to have Spring Break, so hopefully, I can get some relief from the busy coursework for a while...

@ingyhere
Copy link
Contributor

  1. I observed the updates made by @ingyhere, which added more excluded files to potentially help reduce false positives. This initially seems helpful, but the same optimization could be applied to other parts of the document that also involve --exclude-files, such as one code at Quick Start, another code at Layer 1, and another code at Layer 2.

Good catch. Those should be uniform across the invocations (local, actions, etc.). There appears to be a minor error on line 212 (two dots), but I have to look up whether it is using glob or regex. ...

  1. However, including so many lines makes the command inconvenient to use and introduces repetitiveness for the document and maintenance difficulties. A potential solution to this could be to refactor the command about exclude files, making it read the content from .gitignore. Another potential way is to define a YAML config file to be used for the three layers along with more comprehensive excluded file list. This would not only keep the command short but also make it easier to modify to exclude more files and be more compatible with SDLC. What do you think? I am not sure about the feasibility, but I can do some research and experimentation on it.

The idea of using the ignore file is great but it may also contain CI files, or something similar, that shouldn't be routinely overwritten, but also legitimately contain errant secrets. I don't think I would use the .gitignore for that reason.

OTOH, that configuration perhaps could be added to the .secrets.baseline probably without consequence. Adding an extra YAML is an option, but then there's yet another new configuration file to track, and it would be just as well for users to keep the number of configs limited. Or, just keep it as-is -- It always should be user modifiable, maybe mention that.

  1. I love the section about "How are commits containing secrets removed permanently from Git history?". It's really concise and introduces two ways of removing history. My question is, do you think it's worth having another document to elaborate more on this part (a potential future work)?

Thanks. The history removal requires a lot of specialized expertise and is frankly dangerous. I don't think a guide can cover all edge cases which would make it riskier to apply. This is a worrisome topic.

@riverma riverma added the software lifecycle Process improvements involving developing, testing, integrating, deploying software label Mar 26, 2024
@riverma
Copy link
Collaborator Author

riverma commented Mar 28, 2024

Thanks @perryzjc for the comment and @ingyhere for the thoughts!

Hi @riverma,

I just had the chance to review the PR and I have some comments on it. Overall, it looks good, but I noticed a few minor things.

  1. I observed the updates made by @ingyhere, which added more excluded files to potentially help reduce false positives. This initially seems helpful, but the same optimization could be applied to other parts of the document that also involve --exclude-files, such as one code at Quick Start, another code at Layer 1, and another code at Layer 2.
  2. However, including so many lines makes the command inconvenient to use and introduces repetitiveness for the document and maintenance difficulties. A potential solution to this could be to refactor the command about exclude files, making it read the content from .gitignore. Another potential way is to define a YAML config file to be used for the three layers along with more comprehensive excluded file list. This would not only keep the command short but also make it easier to modify to exclude more files and be more compatible with SDLC. What do you think? I am not sure about the feasibility, but I can do some research and experimentation on it.

I agree with @ingyhere - reading from the .gitignore could introduce unexpected behavior. It's always best to minimize reading from files that are intended for specific tools. Also - a separate config file may be a bit annoying to maintain. I'd imagine that a user might even think: why don't I just copy my long command into a script to automate it?

Personally - I feel the long --exclude clauses give transparency and would likely just be a copy / paste operation for a user whenever they run the tool. It seems though that the current list is Pythonic, and may need further modification for other languages.

Would it be more straightforward to just have a sub-section in the guide for recommended exclusions, and maintain that list over time? A copy / paste could do the trick for a reader.

Finally, a few notes for reference:

  1. Regarding History Scanning, the current detect-secret doesn't support this, but someone had tried to make a PR about this. The PR hasn't been finalized for 4 years, so it might still take a long time to see this feature. However, trufflehog is really powerful for scanning different kinds of resources for secrets, such as a history of commits, secrets from a GitHub org, an AWS S3, and more.

  2. A few imperfections about trufflehog include:

    • It doesn't use a secret management baseline approach, which is not very convenient for local and GitHub side automated scans, especially when handling false positives. That's where detect-secret is really helpful.
    • When using trufflehog, its plugin system is partially different from that of detect-secret. So, some secrets detected by detect-secret might not be detected by trufflehog, and vice versa.
    • Although not perfect, trufflehog still seems worth mentioning, as it brings value for large-scale scans over different resources, which seems valuable for the JPL community.
    • Other potential solutions to this might be making PRs/customized version to migrate regex of plugins at detect-secret to trufflehog, such as IP address detection.

If you've experimented with Trufflehog and feel confident suggesting it, maybe we could mention it as an answer in the FAQ question about this as a start? I think the detect-secrets tool approach you've recommended is pretty great for now and unless things really evolve on the trufflehog side to support secrets management, we could continue to recommend detect-secrets. I like that you're thinking of other tools though - the guide should evolve as the tool-landscape changes!

  1. I love the section about "How are commits containing secrets removed permanently from Git history?". It's really concise and introduces two ways of removing history. My question is, do you think it's worth having another document to elaborate more on this part (a potential future work)? A few references about this are some of my previous experimental uses of git filter-branch.

Rather than us writing another document, perhaps we can link to a document on the web that outlines the steps clearly? I have to imagine this is a common topic!

  1. For our customized plugins, some of them look good for Yelp/detect-secret reviewers and are prepared to be merged, such as IPV4 Detection. Some of others, are being suggested for some updates for better use, such as the Email Address Detection. So there are also some potential work to do for me.

💯

I hope this comment is helpful. It outlines some potential work that could take time to complete. I can assist with it based on needs and priorities. My school is about to have Spring Break, so hopefully, I can get some relief from the busy coursework for a while...

Of course! We're just grateful to have your continued interest in the project @perryzjc and hope its useful in your other efforts! Best of luck with all the school.

@ingyhere
Copy link
Contributor

There's another way to see inside all the commits that uses Git log, something like git log --all --raw --patch --no-decorate to start. Identifying a precise location where a secret is located would be scripting around it, but a smart script based on that would at least let the user know if there are secrets at all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ingyhere ingyhere ingyhere approved these changes

@perryzjc perryzjc Awaiting requested review from perryzjc

@yunks128 yunks128 Awaiting requested review from yunks128

Assignees

@riverma riverma

Labels
software lifecycle Process improvements involving developing, testing, integrating, deploying software
Projects
SLIM Planning Board
Status: ✅ Work Complete
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@riverma @perryzjc @ingyhere