In the last couple of years, several articles described incidents in which malicious individuals stole API keys committed to public source code repositories such as GitHub and BitBucket. These individuals usually misuse the service in order to execute computing jobs for their own profit. As a result, the victims often received bills up to several thousand dollars.
To avoid this problem, people often rely on tools such as git-secrets. Once installed, the tool will scan each commit to prevent you from adding secrets to your repositories. While useful, git-secrets has an important downside—it requires to be installed and set-up individually on each developer’s machine. Also, several GUI based git clients are not configured to reflect the changes by default. Thus, to make it work, one needs to configure both the git-secrets and the GUI based git client. With large teams, the chances of misconfigurations are increased.
CI-compliant alternative: Inspecode grep
Fortunately, we’ve got you covered. Inspecode grep is a better alternative, able to make your CI builds fail each time a regular expression pattern indicates that the source code contains authentication information.
Let’s see how to configure and use it through the case of AWS keys. To detect keys in source code, add the following settings to your rocro.yml file.
inspecode:
grep:
- options:
--extended-regexp:
-I:
--regexp:
- AKIA[A-Z0-9]{16}
- ("|')?(AWS|aws|Aws)?_?(SECRET|secret|Secret)?_?(ACCESS|access|Access)?_?(KEY|key|Key)("|')?\s*(:|=>|=)\s*("|')?[A-Za-z0-9/\+=]{40}("|')?
--word-regexp:
thresholds:
num-issues: 0
These regexp patterns and grep options are based on the ones used in git-secrets. You can customize these patterns and options. See our help page.
In order to test if it is properly configured, commit and push a file with the below content:
#!/bin/sh
aws_key="AKIAAKIAAKIAAKIAAKIA"
echo "${aws_key}"
aws_secret_key="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
echo "${aws_secret_key}"
Now, execute the CI job. If everything works as expected, the keys should have been detected and the job should have failed:
What if the secret key for testing is reported as an issue?
When testing, it is possible that the code used for said purpose matches the specified pattern but it is not a valid key. So, even if this gets reported by Inspecode grep as an issue, it should be considered a false positive.
To handle this scenario, Inspecode lets you specify a threshold through the num-issues parameter of the rocro.yml file. In the above example, the value is set to 0, which means that a single match will make the job fail. To overcome the issue, just increment the num-issues when a job fails due to a false-positive.
Conclusion
Individual solutions aimed to protect developers from secret-key leaks do have important limitations that are more prevalent when many developers are working together. The method presented in this blog post uses Inspecode’s grep and brings an important advantage—it is not dependent on individual development environments. You just have to configure it once and the same settings will be applied to the whole team. It is strong, easy, and especially effective when used by large teams of developers.
Rocro Engineering Blog 