Scan Git repositories for sensitive information and security issues by using git-secrets - AWS Prescriptive Guidance

Scan Git repositories for sensitive information and security issues by using git-secrets

Created by Saurabh Singh (AWS)

Environment: Production

Technologies: Security, identity, compliance

Workload: Open-source

Summary

This pattern describes how to use the open-source git-secrets tool from AWS Labs. Git-secrets scans Git source repositories and finds code that may potentially include sensitive information, such as user passwords, or that has other security issues.

Prerequisites and limitations

Prerequisites 

  • An active AWS account

  • A Git repository that requires a security scan

Architecture

Target architecture 

  • Git

  • Git-secrets

Tools

Tools

  • git-secrets - Prevents you from committing sensitive information into Git repositories.

  • Git - An open source distributed version control system.

Epics

Task Description Skills required
Connect to an Amazon EC2 instance by using SSH.

Connect to an EC2 instance by using SSH and a key pair file.

General AWS
Task Description Skills required
Install Git.

Install Git by using the "yum install git -y" command.

General AWS
Task Description Skills required
Clone Git source repository.

Clone the Git repository you want to scan. Choose the “Git clone” command from your home directory.

General AWS
Install git-secrets.

Install git-secrets by cloning the source Git repository. For more information, see the "Related resources" section.

General AWS
Task Description Skills required
Go to the source repository.

Switch to the folder for the Git repository you want to scan: “cd <code_repository>”.

General AWS
Register the AWS rule set (Git hooks).

To configure git-secrets to scan your Git repository on each commit, run the command “git secrets --register-aws”.

General AWS
Scan the repository.

Run the command “git secrets –scan”.

General AWS
Review output file.

The tool generates an output file if it finds a vulnerability in your Git repository. For an example, see the attached file, output.txt.

General AWS

Attachments

attachment.zip