Performing a Source Code Security Scan Using git-secrets in AWS

Hands-On Lab

 

Photo of Mark Richman

Mark Richman

AWS Training Architect II in Content

Length

00:30:00

Difficulty

Intermediate

As a Security Analyst working with AWS, you may be called upon to audit a source code repository for security vulnerabilities. In this live AWS environment, you will work with the AWS Labs’ open source git-secrets utility to analyze a Github repository for code that contains security issues. By the end of this learning activity, we will have created an EC2 instance, installed git and git-secrets, cloned a Github repository, and scanned that source code using git-secrets to identify security issues for remediation.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Performing a Source Code Security Scan Using git-secrets in AWS

Introduction

As a security analyst working with AWS, you may be called upon to audit a source code repository for security vulnerabilities. In this lab, we will use the open source git-secrets utility to analyze a GitHub repository for code that contains security issues.

Log in as the cloud_user with the credentials provided on the lab instructions page.

ssh cloud_user@<PUBLIC_IP>

You'll see a message that asks, "Are you sure you want to continue connecting (yes/no)?" Type yes.` Then enter your password.

We are now logged in to our EC2 instance.

Installing and Using git-secrets

First, we need to install Git. Run the following command:

sudo yum install git -y

Then, enter your password.

Next, we need to clone our GitHub repository. Run the following command:

git clone https://github.com/linuxacademy/la-aws-security_specialty.git

Now we need to install git-secrets. Clone and install the git-secrets repository.

git clone https://github.com/awslabs/git-secrets.git
cd git-secrets
sudo make install
git secrets

Then, switch back to the home directory.

cd ..

Now let's open the repository that contains the source code with the known vulnerability. Change to the repository directory.

cd la-aws-security_specialty
cd git_secrets_activity

Then, view the contents of the directory.

ls

We'll see a shell script called example.sh. This is where the vulnerability is. Before we scan the repository for the vulnerability, we first need to install Git hooks.

Register the AWS rule set (the Git hooks).

git secrets --register-aws

This installs a set of rules that git-secrets will use to scan the repository for vulnerabilities. Next, scan the repository.

git secrets --scan

You should see output similar to the following:

example.sh:4:AWS_SECRET_ACCESS_KEY = Z3ofnVlFTH9DFmulF3uDO7BCDxGYD4nIG92oeymX

[ERROR] Matched one or more prohibited patterns

Possible mitigations:
- Mark false positives as allowed using: git config --add secrets.allowed ...
- Mark false positives as allowed by adding regular expressions to .gitallowed at repository's root directory
- List your configured patterns: git config --get-all secrets.patterns
- List your configured allowed patterns: git config --get-all secrets.allowed
- List your configured allowed patterns in .gitallowed at repository's root directory
- Use --no-verify if this is a one-time false positive

The Error message tells us that a vulnerability was identified, and we can now use this information to report the vulnerability to our team.

Conclusion

Congratulations, you've successfully completed this lab!