Wednesday, May 23, 2018

CI Tip: block insecure changes to your source code

As a dev or devops person, it's pretty easy to accidentally expose AWS or other secrets by putting them into "temporary" code or environment files. Once a secret appears in version control, it should no longer be trusted, go ahead and rotate the key.

Here's how to write a checker, so that secrets won't make it into source code!  This is perfect for a Git commit hook. The important feature to use is Perl-style regular expressions, which allow you to say "match this exactly N number of times". Also, the "-w" flag to Ack lets us match word boundaries. Thus, if something is a word, and exactly some number of characters long, we flag it.

Example:

$ echo 'I love gin' | ack -w '[a-z]{3}'
I love gin

This example finds words of exactly three letters. The word "gin" is found, as it's exactly three characters. The second word "love" is not flagged, even though it has 3 characters included in it, because we added the "-w" flag to only find words. "Gin" has a non-letter on either side, so it's a word, so we match it.

To catch AWS keys, search for "words" of exactly 20 characters, uppercase letters and numbers only:

$ ack -lw '[0-9A-Z]{20}'
env-sales
web-services/src/config/configResolver.ts
.env

Ah: two local environment files have AWS keys, which is okay. These are not checked in to Git. However, a key snuck in to another file, in source code!  Now that Ack alerted me to a mislaid key, I can go fix it and make our system more secure. Win!


No comments:

Post a Comment