[Talisman/DevSecOps] Discover the sensitive information in your code.

Posted on By nim No Comments on [Talisman/DevSecOps] Discover the sensitive information in your code.

Chúng ta có 1 bài post.
https://www.theregister.com/2015/01/06/dev_blunder_shows_github_crawling_with_keyslurping_bots/

Git Hooks and Talisman Introduction

HandsOn – Talisman

thực hiện kiểm tra hook trong code dưới laptop.

ls -ltr .git/hooks/

Thực hiện cài đặt Talisman trên máy của bạn

Bạn thấy pre-push sẽ được thê trong hook của git

Bạn có thể setup scankhi commit.

Khi bạn thúc hiện commit thì talisman sẽ scan repo trước khi commit

root@controlplane kubernetes-devops-security on  master [?] is 📦 v0.0.1 via ☕ v11.0.16 ➜  git add .

root@controlplane kubernetes-devops-security on  master [+] is 📦 v0.0.1 via ☕ v11.0.16 ➜  git commit -m "Hoc DevSecOps"
Talisman Scan: 12 / 12 <------------------------------------------------------------------------------------------------------------------------------------------------------------------> 100.00%  

Talisman Report:
+-----------------+------------------------------------------------------+----------+
|      FILE       |                        ERRORS                        | SEVERITY |
+-----------------+------------------------------------------------------+----------+
| public/access   | Expected file to not to contain                      | high     |
|                 | base64 encoded texts such as:                        |          |
|                 | base64encodedsecret=cGFzc3dvcmQtaXMtcXdlcnR5MTI...   |          |
+-----------------+------------------------------------------------------+----------+
| public/access   | Potential secret pattern :                           | low      |
|                 | base64encodedsecret=cGFzc3dvcmQtaXMtcXdlcnR5MTIzCg== |          |
|                 |                                                      |          |
+-----------------+------------------------------------------------------+----------+
| public/access   | Potential secret pattern :                           | low      |
|                 | aws_access_key_id=VYEN23LCJGLTDPMSWQAL               |          |
|                 |                                                      |          |
+-----------------+------------------------------------------------------+----------+
| public/access   | Potential secret pattern :                           | high     |
|                 | aws_access_key_id=                                   |          |
+-----------------+------------------------------------------------------+----------+
| public/info.txt | Potential secret pattern :                           | low      |
|                 | apikey=AizaSyCqhjgrPtr_La56sdUkjfav_laCqhjgrPtr_2s   |          |
|                 |                                                      |          |
+-----------------+------------------------------------------------------+----------+


If you are absolutely sure that you want to ignore the above files from talisman detectors, consider pasting the following format in .talismanrc file in the project root

fileignoreconfig:
- filename: public/access
  checksum: d1ae8eb1f6393e04794a7b2b2eaf827e7d023465a60a1fbf0306957a8c0f59af
- filename: public/info.txt
  checksum: 6243a12e75e189f4e89626324b2234cd4f63c25d3779212145e37c6f1e7a8138
version: ""

Talisman done in 55.523949ms
root@controlplane kubernetes-devops-security on  master [!+] is 📦 v0.0.1 via ☕ v11.0.16 ✖ git add .

root@controlplane kubernetes-devops-security on  master [+] is 📦 v0.0.1 via ☕ v11.0.16 ➜  git commit -m "Hoc DevSecOps v2"
Talisman Scan: 12 / 12 <------------------------------------------------------------------------------------------------------------------------------------------------------------------> 100.00%  

Talisman Report:
+-----------------+----------------------------------------------------+----------+
|      FILE       |                       ERRORS                       | SEVERITY |
+-----------------+----------------------------------------------------+----------+
| public/info.txt | Potential secret pattern :                         | low      |
|                 | apikey=AizaSyCqhjgrPtr_La56sdUkjfav_laCqhjgrPtr_2s |          |
|                 |                                                    |          |
+-----------------+----------------------------------------------------+----------+


If you are absolutely sure that you want to ignore the above files from talisman detectors, consider pasting the following format in .talismanrc file in the project root

fileignoreconfig:
- filename: public/info.txt
  checksum: 6243a12e75e189f4e89626324b2234cd4f63c25d3779212145e37c6f1e7a8138
version: ""

Talisman done in 15.157062ms


Chạy command:
https://praveen-alex-mathew.medium.com/running-talisman-cli-in-the-gitlab-ci-servers-29f15af7b1c7
https://www.digitalocean.com/community/tutorials/python-simplehttpserver-http-server

talisman --scan --ignoreHistory

Run talisman on Github Action.

https://github.com/carhartl/talisman-secrets-scan-action/blob/main/Dockerfile

Run talisman on Docker


docker run -v ${PWD}/path:/mnt/data mrnim94/talisman:v1.31.0-release1 --scan
DevSecOps

More Related Articles

[DevSecOps] Engines for Pentesters DevSecOps
[DevSecOps] What is DevSecOps DevSecOps
[DevSevOps] How to Install OpenVAS DevSecOps
[Security] Find vulnerabilities in your EC2 Linux instance DevSecOps
[Gitleaks/njsscan/semgrep] Secure Your code by CAST and SAST tools CI/CD
[DevSecOps] Use CrowdSec to detect the malicious behaviors in your system. DevSecOps

Leave a Reply

Your email address will not be published. Required fields are marked *