git-secrets扫描增量明文密码
使用gitlab的服务端hook来对增量代码的文件进行扫描,tree如下:
1.安装编译git-secrets组件
apt-get -y update
apt-get -y install build-essential
git clone https://github.com/awslabs/git-secrets /var/opt/git-secrets
cd /var/opt/git-secrets
make install
2.
把安装包放到/opt目录下:
cd /opt
tar -xzvf git-hook.tar.gz
chown -R git:git git-hooks
3.配置gitlab的hook目录位置
4.生效
gitlab-ctl reconfigure
5.git clone一个代码,然后git push试试。
--
root@localhost:/opt/git-hooks# cat .gitconfig
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
[user]
name = root
email = bo.tang@capitalonline.net
[core]
autocrlf = input
#alternateRefsCommand="exit 0 #"
#fsyncObjectFiles = true
[gc]
auto = 0
[secrets]
providers = git secrets --aws-provider
patterns = [w]*password
patterns = \\w+password\\s*=\\s*.+
patterns = \\w+password',[[:space:]]{0,1}'.*'
patterns = \\w+user',[[:space:]]{0,1}'.*'
patterns = PASSWORD\\s*=\\s*.+
patterns = [w]*PASSWORD
patterns = \\w+PASSWORD\\s*=\\s*.+
patterns = USER\\s*=\\s*.+
patterns = [w]*USER
patterns = \\w+USER\\s*=\\s*.+
# patterns = \\s*.+password\\s*=\\s*.+
# patterns = \\w+password',[[:space:]]{0,1}'.*'
# patterns = \\w+password\\s*=\\s*.+
# patterns = \\w+user',[[:space:]]{0,1}'.*'
# patterns = [w]*password
# patterns = [A-Z0-9]{20}
# patterns = (\"|')?(AWS|aws|Aws)?_?(SECRET|secret|Secret)?_?(ACCESS|access|Access)?_?(KEY|key|Key)(\"|')?\\s*(:|=>|=)\\s*(\"|')?[A-Za-z0-9/\\+=]{40}(\"|')?
# patterns = (\"|')?(AWS|aws|Aws)?_?(ACCOUNT|account|Account)_?(ID|id|Id)?(\"|')?\\s*(:|=>|=)\\s*(\"|')?[0-9]{4}\\-?[0-9]{4}\\-?[0-9]{4}(\"|')?
# allowed = AKIAIOSFODNN7EXAMPLE
# allowed = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
# patterns = password\\s*=\\s*.+
# patterns = \\s*.+password\\s*=\\s*.+
---
root@localhost:/opt/git-hooks# cat update.d/git-secrets.sh
#!/usr/bin/env bash
refname=$1
oldrev=$2
newrev=$3
echo "Executing git-secrets"
# use git-secrets aws-provider git configuration
HOME=/opt/git-hooks
PATH=$PATH:/usr/local/bin
# handle empty repository
if [ "$oldrev" = "0000000000000000000000000000000000000000" ]; then
oldrev=4b825dc642cb6eb9a060e54bf8d69288fbee4904
fi
#git secrets --add --global 'password\s*=\s*.+'
#git secrets --add --global '\s*.+password\s*=\s*.+'
git secrets --add --global [\w]*password = "[\w]*"
git secrets --add --global '\w+password\s*=\s*.+'
git secrets --add --global "\w+password',[[:space:]]{0,1}'.*'"
git secrets --add --global "\w+user',[[:space:]]{0,1}'.*'"
git secrets --add --global 'PASSWORD\s*=\s*.+'
git secrets --add --global [\w]*PASSWORD = "[\w]*"
git secrets --add --global '\w+PASSWORD\s*=\s*.+'
git secrets --add --global 'USER\s*=\s*.+'
git secrets --add --global [\w]*USER = "[\w]*"
git secrets --add --global '\w+USER\s*=\s*.+'
for i in $(git show $newrev:.gitallowed 2>/dev/null); do
git secrets --add --allowed $i;
done
exitcode='0'
FILES=`git diff --name-status $oldrev $newrev | awk '{print $2}'`
for filepath in $FILES; do
if [ "$filepath" = ".gitallowed" ]; then
echo "Skipping $filepath ..."
else
echo "Scanning $filepath ..."
fi
echo "============================="
git show $newrev:$filepath | git secrets --scan -
result=$?
if [ "$result" != "0" ]; then
exitcode=$result
fi
done
echo "[RE] code=${exitcode}"
if [ "$exitcode" != "0" ]; then
echo ""
echo "Listing configuration ..."
echo ""
git secrets --list
echo ""
echo "Please fix the above issues by running \`git reset HEAD~1\`, and encrypting the secrets."
echo ""
echo "To prevent committing secrets in the future, install git-secrets on your local machine."
echo " https://github.com/awslabs/git-secrets"
echo ""
echo "Add AWS configuration template to add hooks to all repositories you initialize or clone in the future."
echo " git secrets --register-aws --global"
echo ""
echo "Add hooks to all your local repositories."
echo " git secrets --install ~/.git-templates/git-secrets"
echo " git config --global init.templateDir ~/.git- templates/git-secrets"
echo "[WARNING] some filed has secrets issues, please update them"
exit 1
else
echo "[complited] git secrets scan finished"
fi
