[DevSecOps] Remove the secrets on Git.

Posted on By nim No Comments on [DevSecOps] Remove the secrets on Git.

1) Look into the circumstance!

Khi mình scan thì thấy là có secret github

Mặc dù người dụng đã có gắng delete file nhưng secret vẫn được lưu trong commit.

2) Clear All secrets at anywhere.

2.1) Using BFG Repo-Cleaner to clear all secret

https://rtyley.github.io/bfg-repo-cleaner/

Để sử dụng BFG Repo-Cleaner bạn cần cài đặt java.

sudo apt install default-jdk
wget https://repo1.maven.org/maven2/com/madgag/bfg/1.14.0/bfg-1.14.0.jar

Tiếp đến bạn git clone repo với option 

git clone --mirror https://github.com/mrnim94/devsecops-laboratory.git

2.1.1) Delete files that contain secrets

Ở đây mình thực hiện delete file variable.

root@work-space-u20:~/github# java -jar bfg.jar --delete-files variables.tf devsecops-laboratory.git

Using repo : /root/github/devsecops-laboratory.git

Found 4 objects to protect
Found 5 commit-pointing refs : HEAD, refs/heads/master, refs/heads/renovate/configure, ...

Protected commits
-----------------

These are your protected commits, and so their contents will NOT be altered:

 * commit 7a3464f6 (protected by 'HEAD')

Cleaning
--------

Found 11 commits
Cleaning commits:       100% (11/11)
Cleaning commits completed in 95 ms.

Updating 4 Refs
---------------

        Ref                             Before     After   
        ---------------------------------------------------
        refs/heads/master             | 7a3464f6 | df965e7d
        refs/heads/renovate/configure | db056480 | a58e2e52
        refs/pull/1/head              | db056480 | a58e2e52
        refs/pull/1/merge             | 61fcce9d | f15715f6

Updating references:    100% (4/4)
...Ref update completed in 28 ms.

Commit Tree-Dirt History
------------------------

        Earliest      Latest
        |                  |
        . D D D DD D D D D m

        D = dirty commits (file tree fixed)
        m = modified commits (commit message or parents changed)
        . = clean commits (no changes to file tree)

                                Before     After   
        -------------------------------------------
        First modified commit | 1ebdfa0c | 6cdb5ce2
        Last dirty commit     | 65a05f45 | 6caa2f08

Deleted files
-------------

        Filename       Git id                              
        ---------------------------------------------------
        variables.tf | f47d61c7 (182 B ), e69a0f03 (176 B )


In total, 18 object ids were changed. Full details are logged here:

        /root/github/devsecops-laboratory.git.bfg-report/2023-06-18/08-19-11

BFG run is complete! When ready, run: git reflog expire --expire=now --all && git gc --prune=now --aggressive
>>>>>>>>>>>>>>>>>>>>

cd devsecops-laboratory.git
git reflog expire --expire=now --all && git gc --prune=now --aggressive
git push --force

Nếu bạn có thấy lỗi trên thì cũng không sao cả.

trở lại với github bạn sẽ thấy điều lạ là không có commit nào mới cả

DevSecOps

More Related Articles

[Trivy] Protect your application by Trivy DevSecOps
[DefectDojo] Vulnerability Management and Remediation by DefectDojo DevSecOps
[Talisman/DevSecOps] Discover the sensitive information in your code. DevSecOps
[Vulnerability] CVE-2024-6387 – Critical vulnerability in OpenSSH DevSecOps
[OPA Conftest] general-purpose policy engine DevSecOps
How do companies ship code to production? Coding

Leave a Reply

Your email address will not be published. Required fields are marked *