[Improve Existing Best Practice Guide]: Automated checking for general sensitive information within Git

[riverma]

Checked for duplicates

Yes - I've already checked

Best Practice Guide

Continuous Integration

Best Practice Guide Sections

Starter Kits

Describe the improvement

We have some existing recommendations for checking sensitive AWS credential information via using git-secrets described here. However, we've received feedback that this could be improved via the following:

• Sample pattern files to check for more specific sensitive information such as IPs, username / passwords, ARNs, security-groups
• A GitHub-side automation that checks repositories even if folks have committed and pushed sensitive information

To support these two needs, we should evaluate if git-secrets is the right tool, or if it should be augmented or replaced with a better solution.

[jordanpadams]

One other idea:

• absolute file paths - not sure how feasible/possible this is, but absolute file paths on file systems are considered sensitive from SAs

Per this:

A GitHub-side automation that checks repositories even if folks have committed and pushed sensitive information

The guidelines should also include a link to documentation about how to deep clean this from your commit history. Additionally, this automated check should also include GitHub Issues, which can include sensitive information.

[riverma]

Great suggestions @jordanpadams - we will plan to include these in our scope.

[riverma]

FYI @perryzjc see folks who are also interested in this scope of work here.

[sneely333]

We should search for anything that includes information regarding our infrastructure including sg's, vpc's, subnets, aws account numbers, ami's, bucket names, ip addresses, hostnames, roles, arn's, usernames, internal url's, and passwords.

[riverma]

We should search for anything that includes information regarding our infrastructure including sg's, vpc's, subnets, aws account numbers, ami's, bucket names, ip addresses, hostnames, roles, arn's, usernames, internal url's, and passwords.

That's a very comprehensive list of tips - thank you very much @sneely333. We will look these over.

[perryzjc]

I did some Trade Studies on four tools and put the references in the table. I feel they are quite similar.

• They all support customized regular expression, which provides a possibility to solve the needs in this ticket and other potential needs.

The main difference is about the support of Entropy Analysis. I have done some trials on this feature. It's sometimes useful for complex passwords and TOKEN format. If the current set of regular expressions didn't work, this feature could sometimes remind us, but not always. Therefore, inspecting sensitive information still needs to be taken care of.

The other slight differences are Commit Messages and File Name. We may need to use a combination of those tools based on the needs.

Tool Name	File Content	File Name	Commit Message	Pre-commit-hook	Check history	GitHub-side Automation	Customized Pattern	Entropy Analysis
git-secrets	Yes	No	Yes	Yes	Yes	Yes (doable)	Yes	No
gitleaks	Yes	No	No	Yes	Yes	Yes	Yes	Yes
trufflehog	Yes	No	No	Yes	Yes	Yes	Yes	Yes
talisman	Yes	Yes	No	Yes	Yes	Yes (doable)	Yes	Yes

[riverma]

@perryzjc - great work here. Will scope this and provide feedback. One tip is you'll want to also include GitHub's own secrets scanning tool in your trade-study. What is missing from GitHub's tool that these other tools support?

Example screenshot available in project settings on GitHub: