<aside> ⌚ TL;DR: Secret scanning us helps detect leaked secrets in Git commits and repositories.

We use TruffleHog and GitGuardian to identify and resolve any secret leaks across the organization.

</aside>

Overview

We utilize TruffleHog (open source) and GitGuardian (paid) tools to scan for secrets in the source code committed to GitHub. We employ both tools in combination to achieve overall coverage, benefiting from the strengths of each tool. TruffleHog has over 750+ detectors with validity checks, while GitGuardian is capable of flagging high-entropy strings. We prioritize unearthing true and false negatives over false positives.

GitGuardian

GitGuardian adoption proposal document contains most of the important information regarding pros, cons and comparison with open-source tools.

GitGuardian Alerting

Currently all GitGuardian alerts are routed to #security-alert slack channel via Slack webhook configured in Integration settings in GitGuardian dashboard.

GitGuardian Support

For any technical support write to [email protected]

Incident Playbook

How do I access GitGuardian application?

• For security team, you can access it via Okta dashboard
• For other teams, reach out to #discuss-security or #ask-it-tech-ops for application access via Okta

How do I handle GitGuardian incident alert?

• Find the relevant repository, commit with the secret leaked from GitGuardian incident
• Based on repository & leaked secret priority (verified, un-verified)
  • Contact the commit owner in Slack
  • Revoke and rotate the leaked secret token (ensure it doesn’t affect any customers & production)
  • If necessary, declare incident based on severity of the token leak.
  • Remember to close/mark the status of alert in GitGuardian to prevent unnecessary pings in Slack channel as alert.

What should I do if GitGuardian misses a secret token leak?

• Find the commit, token and reach out to [email protected] and they’ll triage it and they might add it as custom detector
• Create a ticket and follow-up with GitGuardian support for implementing custom detector.
• Meanwhile, you could leverage regex pattern using Semgrep scan. Here is the example pull request for adding AWS ARN number detection.

Developer Playbook

I have received a report or message leaked secret or tokens in commit. What’s next step?

• Verify the source commit of the leaked secret or token (example: gitguardian email or slack DM from security team)
• Please revoke the token and ensure security team is aware of it.
• Based on severity of the token, security team member might triage the incident or close the alert.
• While it’s technically not possible to remove commit from GitHub, you can try appending the commit with env variable.
• For scrubbing the commit from GitHub, reach out to #discuss-security to open a support ticket with GitHub.

I don’t have privilege to revoke the token?

• Reach out to the person who created the secret in first place
• If you’re not sure whom to reach out, ask #discuss-security for help or #ask-tech-ops to identify admin and help with rotating the key.
• Please make sure to revoke the leaked token as first priority.

Operational Playbook

How do I add new sourcegraph org repositories for secret scanning?

• ✅ They’re automatically enrolled, cloned & scanned because GitGuardian has full access to the GitHub sourcegraph org including private and public repositories.
• We have enabled this settings > Integration > Github
  • Automatically scan the git history of every GitHub repository added on GitHub perimeter

How do I check failed secret scanning and restart the scan for particular repository ?

• Head to GitGuardian from Okta, Click on Perimeter
• Sort the repositories list based on Health or filter using Health > At Risk & Unknown
• You should now see list of failed scan attempts.
• Select all the failed repository scans, and hit Scan to initiate the failed secret scan