Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add GitLeaks Scanning to PRs #1

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

tuneinops
Copy link

Automated Scanning of Pull Requests for API Keys

As part of the ongoing effort to secure TuneIn's GitHub repos to prevent another occurrence similar to what happened with CodeCov, we will be implementing a scan that runs on PRs opened to the primary branch of each repo. The code for the PR will be checked out and the cli tool gitleaks will be run against it. If there are findings, the failed check will show on the "Conversation" tab of the PR. In order for all checks against an open PR to succeed, the PR must not contain sensitive keys.

What do I do if my PR check fails?

If you have mistakenly checked in a secret to git as part of your PR, you should remove it promptly.

  • Git reset to the commit prior to the secret being added to source control
  • Edit the file(s) containing secrets to remove them
  • Author a new commit containing the fix as well as your other work
  • Force-push the new commit history to git

The force push is essential to ensure that the secret is not only removed from the most recent commit but from the history as well. After performing this sequence of steps, the automated scan on your PR will pass.

Help! The scan says I have checked in secrets but it's a false positive.

Every repo's scanning rules are customizable. Refer to the Custom Rules section below for en explanation of the syntax to add the path containing a false positive to the allowlist. Exercise caution when findings are added to the allowlist to ensure that the findings are not genuine. Entries in the allowlist will not appear on subsequent scans.

What about tokens that my team regularly works with that are not picked up by the default scan rules?

You can add custom rules to your config that meet the needs of your team. Rules are picked up by scanning files with a list of regular expressions. Write a regex for the types of tokens that your app interacts with and add it to your custom config file.

Custom Rules

Custom rules for your repo should live in the file .github/gitleaks.toml. See examples below for some available customizations or, refer to the documentation for gitleaks for more complete examples.

Adding a path to the allowlist

[allowlist]
  files = [ '''file-regex-a''', '''file-regex-b''']

Adding a custom rule

[[rules]]
  description = "NPM Token"
  regex = '''(npm|NPM)(.+)\b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\b'''
  tags = ["key", "NPM"]

Alternatives to Secrets in Git

If your team is already using a strategy to prevent checking secrets into source control, continue to utilize that going forward. If you are in search of a solution, the strategies below are being utilized in teams at TuneIn already. Reach out to #devops if you need assistance with getting one of these solutions in place.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants