Trufflehog searches through git repositories for high entropy strings and secrets, digging deep into commit history
How it works: Trufflehog will go through the entire commit history of each branch, and check each diff from each commit, and check for secrets. This is both by regex and by entropy. For entropy checks, Trufflehog will evaluate the shannon entropy for both the base64 char set and hexidecimal char set for every blob of text greater than 20 characters comprised of those character sets in each diff. If at any point a high entropy string >20 characters is detected, it will print to the screen
+
Effective at finding secrets accidentally committed
+
Relatively easy to shove into a devops pipeline
+
Custom regexes can be added (things like s3 bucket detection)
+
Open source: we can contribute high signal regexes upstream that we think will benefit the community
-
Searches the entire commit history of each branch. Ideally we want a tool to search for secrets before we initiate a PR so that if secrets do exist, they never make it to git
Could configure as part of a pre-commit git hook
GitHub Enterprise is the on-prem version of GitHub, which we can deploy and manage in our own, secure environment
+
Enterprise-grade security (exclusive to GitHub Enterprise). GitHub Enterprise operates on our infrastructure with our existing information security controls. Security features include:
- User roles and access levels
- Orgs and teams
- Authentication
- Ecrypted communications
- Audit and access logging
- VM security
- Application security
- Security patching and notifications
- External services and support access
+
We can host it on our AWS infrastructure
+
Pre-receive hooks
+
45-day free trial available
+
Benefits of GitHub Enterprise go beyond security
-
Cost: $2,500 per 10 users/year. Definitely an investment for the long-term
-
Getting some features we don't really need now. Could stay lean with another approach
-
Irrelevant for public repos
Making the transition to GitHub Enterprise NOW will save us time in the long-run. We would spend considerably less time and resources switching today, as a small team, than we would later, as a much larger team
Developing an on-prem product commands that we practice and preach enterprise-grade security in-house. GitHub Enterprise provides the enterprise-grade security that we need
git-secrets
prevents you from committing sensitive information to a git repo
How it works: git-secrets
scans commits, commit messages, and --no-ff
merges to prevent adding secrets into your git repos. If a commit, commit message, or any commit in a --no-ff
merge history matches one of your configured prohibited regular expression patterns, then the commit is rejected
+
Straightforward configuration
+
Verbose. When a secret is found, each matched line will be written with the name of the file that matched, a colon, the line number that matched, a colon, and then the line of text that matched
+
pre-commit
, commit-msg
, and prepare-commit-msg
git hooks come out-of-box
+
Out-of-box support for AWS. Ability to add common AWS patterns to the git config and ensures that keys present in ~/.aws/credentials
are not found in any commit
-
Must be sure to test our patterns using ad-hoc calls to git secrets --scan $filename
to ensure they are working as intended. Still need to do our due dilligence to ensure we do not commit secrets to a repo
-
Hooks are not easily shared, as they are not part of the repository that other contributors copy. Each contributor will need to set this up on their own machines, which makes enforcement a more difficult problem
Seems like a good out-of-box solution that requires the least amount of work to set up
Short Term: I propose we take advantage of the out-of-box benefits of git-secrets
. The benefits of straightforward configuration, custom regexes, and direct AWS support is just what we need. Although the downsides of ad-hoc testing and enforcement may present some holes moving forward, git-secrets
will put us at a better position overall.
git-secrets
could be added to the recommended githooks
section of all of our project repositories.
Long Term: I propose we move our private code over to GitHub Enterprise. The benefits of GitHub Enterprise are endless. Not to mention, it's a good look for a company who is pioneering the enterprise software space. This means it is essential to practice what we preach.
Furthermore, moving to GitHub Enterprise now, as a small company, would use less time and resources than moving later, as a large company.