Skip to content
/ pa2588-devsecops-secrets-management Public template

Playground for learning a bit about Secrets Management

License

GPL-3.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

bth-dipt-teaching/pa2588-devsecops-secrets-management

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
.github/workflows
.github/workflows
 
 
iac
iac
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

PA2588 DevSecOps: Playground for Secrets Management

This is part of the course DevSecOps.

Warning

This playground is not complete yet. Needs steps on creating AWS tokens and HashiCorp vault. (And possible some additional convincing of GitHub whenever a student pushes the files or edits terraform.yml for the first time.)

Note

The secrets in .github/workflowsterraform.yml are Canary Tokens, meaning they look real and will be detected by Secret Scanners such as TruffleHug -- unlike obvious test strings such as AKIAIOSFODNN7EXAMPLE.

Preparation

  1. Click on Use this template to create a new repository in your GitHub account (don't fork it), and make sure to set the visibility to "Public".
  2. In your repository, go to the "Actions" tab, and click "I understand my workflows, go ahead and enable them" (if that button is shown).

1. Secrets Leakage Detection (Shallow and Deep)

  1. In .github/workflows/secrets.yml, uncomment the block labeled "Version 1" to enable secret scanning with TruffleHog.
    • This should trigger two jobs in GitHub actions: "Terraform" is expected to fail, because there are no working AWS secrets yet (we ignore this for now). "Secrets" is expected to succeed, because TruffleHog is currently configured to check only the diff of the most recent commit.
  2. In .github/workflows/secrets.yml, uncomment the block labeled "Version 2" to let TruffleHog scan the whole version history.
    • This should again trigger two jobs in GitHub actions: "Secrets" is now expected to fail, because TruffleHog found several secrets in the version history.
  3. In .github/workflows/terraform.yml, delete the block labeled "Version 0" and uncomment "Version 3" to enable reading the secrets from GitHub.
    • This should again trigger two jobs in GitHub actions: "Secrets" is still expected to fail, because even though the current version does not contain any more secrets, TruffleHog found the secret in the diff of the most recent commit. (And any additional commit would still not remove the secret from the Git history.)
  4. In .github/workflows/secrets.yml, comment out the "Version 2" block again, to let TruffleHog scan only the last commit.
    • This should again trigger two jobs in GitHub actions: "Secrets" is now expected to succeed, because TruffleHog found no secret in the diff of the most recent commit.

2. Secrets Management

  1. Go to "Settings" > "Secrets and variables" > "Actions". Create Repository Secrets AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Retrigger the failed "Terraform" job.
    • The "Terraform" job should now succeed (showing that the credentials do indeed work).
  2. Go to "Settings" > "Secrets and variables" > "Actions". Delete the Repository Secrets AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Create a new Repository Secret VAULT_TOKEN.
  3. In .github/workflows/terraform.yml, comment out the block labeled "Version 3" and uncomment both "Version 4" blocks to enable reading the secrets from Hashicorp's vault.
    • The "Terraform" job should now succeed (showing that the imported credentials do indeed work).

About

Playground for learning a bit about Secrets Management

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

4 watching

Forks

0 forks
Report repository

Contributors 2

  •  
  •  

Languages