Avoid putting confidential information and login credentials into GitHub Repos with Talisman’s security check!
This blog post will discuss using git for source code management and Talisman to prevent the leakage of sensitive data.
Security Considerations for Git
Developers frequently use git and run commands as git add .
All modified or changed files must be committed, as indicated by the “period” that follows git add. This complacency can occasionally result in problems like…
sensitive data leakage, including credentials and SSH keys
Solution
Talisman is a tool that adds a hook to your repository to make sure that sensitive data stays on the developer’s workstation and away from potential secrets. The sending changeset is checked for elements that can be suspicious, such as potential SSH keys, authorization tokens, private keys, etc. In order to make an educated decision about how to protect secrets, Talisman can also be used as a repository history scanner to find secrets that have already been checked in.
Note: Talisman supports MAC OSX, Linux, and Windows.
Installation
Talisman will then be installed on the machine as a git hook, a global git hook template, and a CLI tool that may also be used for git repo scanning. The pre-commit or pre-push setup of the git hook is configurable.
1. Installation as a template for a global hook
As this will ensure that Talisman is present in both your existing git repositories and any new ones that you “init” or “clone,” we advise installing Talisman as a pre-commit git hook template.
To download and install the binary in $HOME/.talisman/bin, enter the command in your terminal.
As a pre-commit hook:
bash -c "$(curl --silent https://thoughtworks.github.io/talisman/scripts/install.bash)"OR
As a pre-push hook:
bash -c "$(curl --silent https://thoughtworks.github.io/talisman/scripts/install.bash)" -- pre-push2. Installation to a single project
# Download the talisman installer script
curl https://thoughtworks.github.io/talisman/install.sh > ~/install-talisman.sh
chmod +x ~/install-talisman.sh# Install to a single project
cd my-git-project
# as a pre-push hook
~/install-talisman.sh
# or as a pre-commit hook
~/install-talisman.sh pre-commit
Note: After installation, go to the following project path to see if talisman has been added as a pre-commit/pre-push hook
> /<project-folder>/.git/hooks
for more about talisman setup, https://github.com/thoughtworks/talisman
How Does It Work?
Talisman operates by matching patterns in your commit changesets for files, content, patterns, entropy, etc.
Testing Cases
- Encoded values — searches for Base64, hex, and other types of encoded secrets
- File content is checked for any odd information that might be potential passwords or secrets.
- File size — searches for big files that might contain keys or other secrets.
- Entropy — looks for text that has a lot of entropy and is probably password-containing
- Credit card numbers — material that may include credit card information is scanned
- File names — look for file extensions and names that might suggest they might contain secrets, such as keys or credentials.
Running Talisman
To execute a talisman, no specific command is used. Depending on WHAT it has been installed as, such as a pre-commit hook or a pre-push hook, the talisman will be activated.
If Talisman has been installed as a pre-commit hook then,
Step1: add a new file to your existing code folder & insert a random apiKey with the following command
echo apiKey="jhaskjdkKAHSdkjasnk8913nasd" > password.txtStep2: Add the changed files for commit
git add .Step3: Commit the code
git commit -m "<comment-title>"
The errors that match the secret/credentials pattern in the code repository will be listed, as seen in the screenshot above.
When Talisman has been set up as a pre-push hook, the aforementioned procedures can be repeated.
Bypass/Skip Talisman Hook? Use the below command while committing the code -
git commit -m "<comment-title>" --no-verifyFinal Words
ThoughtWorks is the maker of the Talisman. By not uploading the Application’s credentials or secrets to the Open Platform, a security breach can be avoided. and is stopped by the talisman.
