Plundering treasures with Gitrob

Get Secure

Besmirched

As you can see in Figure 3, Gitrob points you to a web interface (running on the local machine on TCP port 9393), which you'll use later. The next command asks Gitrob to traverse the public repos (there should be six). The results with clickable links (Figure 4), which you can see by directing your browser to http://localhost:9393 , report any Findings that needs further investigation.

Figure 4: Gitrob GUI results for the chrisbinnie/DevSecOps repo.

Clicking on the offending .aws/credentials link at the bottom of the GUI displays the AWS credentials file (Figure 5), which looks valid, but isn't. (In this case, it's a dummy test file designed to trigger a result from Gitrob.) The pattern that was flagged as suspicious must have been present in the aforementioned signatures file [5]. Following the Findings link in the Gitrob GUI shows more detail (Figure 6), and even a link to the file.

Figure 5: I'll let you off this time; you're just a test file.

Figure 6: More juicy information from the GUI on the findings, with more options.

The Gitrob CLI also gives good feedback (for CI/CD pipeline integration, among other things). Figure 7 shows Gitrob displaying the nasty finding in detail.

Figure 7: The CLI output detailing the finding.

The End Is Nigh

As I'm sure you will appreciate, Gitrob provides extremely valuable functionality. Human mistakes, such as typos and a lack of understanding, are common in all facets of computing, and an attacker is always ready to take advantage where value or one-upmanship exists.

Scheduling Gitrob to run periodically on a serverless technology like AWS Lambda [10] to check your repositories periodically would be a very wise move. As you develop and mature the signatures, strings, and filters you are validating with Gitrob, and potentially with other tools or your own scripts, you won't have any excuse to miss the accidental typos or faulty design decisions.

Infos