Lead Image © pip, photocase.com
Plundering treasures with Gitrob
Get Secure
Hidden in the not-so-dark depths of many software repositories lurks a server estate's potential downfall. Before more refined processes are learned and adopted, newcomers to the art of using DevOps tools find themselves facing the easier route of storing secret keys and passwords in software repos for convenience.
Even for supposedly mature estates, with many sets of eyes working on security and feature development, it's not uncommon to find legacy access keys buried deep within code that are still valid and represent a security risk to an organization.
In this article, I look at a powerful tool built specifically to automate the search for precious credentials, Gitrob [1], which sifts through potentially hundreds of thousands of lines of code to find passwords, secret keys, tokens, and anything vaguely resembling authentication credentials.
The Gitrob README file talks about being able to "help find potentially sensitive files pushed to public repositories on GitHub." Of course, it's also bad practice to store credentials in private repos, because with an accidental flick of a switch, it's all too easy to make a repo public. I'll explore how to use Gitrob with minimal permissions on public repos to sort the wheat from the chaff within GitHub. Because Gitrob is open source software, you can fork it and tweak it further for your own needs.
Other Tools
A few other popular tools behave slightly differently from Gitrob. For example, git-secrets [2] is an Amazon Web Services (AWS)-specific tool you can find on GitHub. You can usually integrate these types of tools into your continuous integration/continuous development (CI/CD) pipeline tests with relative ease. The AWS tool describes its purpose neatly and succinctly as preventing "you from
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
A GitOps continuous delivery tool for Kubernetes
Argo CD uses Git repositories as the source of truth for defining a desired application state and automates the deployment in target environments. -
CI/CD deliverables pipeline
Build a continuous integration pipeline by linking Git, Jenkins, Docker, and GitHub into a build chain that can be flexibly extended and modified. -
Credential management with HashiCorp Vault
Admin teams can use secret sharing to centrally manage shared access to user accounts and services. HashiCorp Vault is one of the few tools that has proven effective when it comes to implementing this solution. Here's how to use this open source tool and keep important credentials safe. -
Efficient password management in distributed teams
Team members often need certain information to authenticate against servers. You don't want to save this secret data in plain text, but you don't want to retype it every time, either. How can you share these secrets? - GitHub Accounts Stolen