1
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

全てのリポジトリを一括 git-secrets したい

Posted at

課題

git-secrets でクレデンシャルがリポジトリにコミットされていないか確認したいけど、リポジトリが多過ぎて全部チェックするのは... という方向けの記事です。

解決

git-secrets はこちら。
https://github.com/awslabs/git-secrets

一覧取得はgithub公式のghコマンドを利用します。
https://github.com/cli/cli

コード

#!/bin/sh

ACCOUNT_ID=example
LIST_LIMIT=100

for repo in `gh repo list ${ACCOUNT_ID} --limit ${LIST_LIMIT} | awk '{print $1}' | awk -F/ '{print $2}'`
do
  echo "### ${repo}"
  rm -rf ${repo}
  # ダウンロード状況は一時ログへ
  git clone https://github.com/${ACCOUNT_ID}/${repo}.git > ./git.log 2>&1
  cd ${repo}
  echo "# scan/ #"
  git secrets --scan
  echo "# /scan #"
  rm -rf ${repo}
done

結果

### repository-a
# scan/ #
# /scan #
### repository-b
# scan/ #
path/to/example.yml:39:      HOGE_SECRETS: AKI*************

[ERROR] Matched one or more prohibited patterns

Possible mitigations:
- Mark false positives as allowed using: git config --add secrets.allowed ...
- Mark false positives as allowed by adding regular expressions to .gitallowed at repository's root directory
- List your configured patterns: git config --get-all secrets.patterns
- List your configured allowed patterns: git config --get-all secrets.allowed
- List your configured allowed patterns in .gitallowed at repository's root directory
- Use --no-verify if this is a one-time false positive
# /scan #

準備

git-secrets

導入

# 未導入の場合
% yum install git -y

% git clone https://github.com/awslabs/git-secrets.git
cd git-secrets
PREFIX=/usr make install

# git secrets を実行して usage が出ればひとまずOK
% git secrets
usage: git secrets --scan [-r|--recursive] [--cached] [--no-index] [--untracked] [<files>...]
   or: git secrets --scan-history
   or: git secrets --install [-f|--force] [<target-directory>]
...

設定

# 個々のリポジトリに展開するよりも実行ユーザーに設定
% git secrets --register-aws --global

# ルールを確認
% git secrets --list --global
secrets.providers git secrets --aws-provider
secrets.patterns (A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}
secrets.patterns ("|')?(AWS|aws|Aws)?_?(SECRET|secret|Secret)?_?(ACCESS|access|Access)?_?(KEY|key|Key)("|')?\s*(:|=>|=)\s*("|')?[A-Za-z0-9/\+=]{40}("|')?
secrets.patterns ("|')?(AWS|aws|Aws)?_?(ACCOUNT|account|Account)_?(ID|id|Id)?("|')?\s*(:|=>|=)\s*("|')?[0-9]{4}\-?[0-9]{4}\-?[0-9]{4}("|')?
secrets.allowed AKIAIOSFODNN7EXAMPLE
secrets.allowed wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

# ※--add 以外にルールを変更したい場合は~/.gitconfig を直接編集してもOK
% cat ~/.gitconfig
...
[secrets]
        providers = git secrets --aws-provider
        patterns = (A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}
        patterns = (\"|')?(AWS|aws|Aws)?_?(SECRET|secret|Secret)?_?(ACCESS|access|Access)?_?(KEY|key|Key)(\"|')?\\s*(:|=>|=)\\s*(\"|')?[A-Za-z0-9/\\+=]{40}(\"|')?
        patterns = (\"|')?(AWS|aws|Aws)?_?(ACCOUNT|account|Account)_?(ID|id|Id)?(\"|')?\\s*(:|=>|=)\\s*(\"|')?[0-9]{4}\\-?[0-9]{4}\\-?[0-9]{4}(\"|')?
        allowed = AKIAIOSFODNN7EXAMPLE
        allowed = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

gh on AmazonLinux2

導入

# https://github.com/cli/cli/releases/latest で最新版を確認
% yum install https://github.com/cli/cli/releases/download/v2.11.3/gh_2.11.3_linux_amd64.rpm -y

% gh --version
gh version 2.11.3 (2022-05-25)
https://github.com/cli/cli/releases/tag/v2.11.3

設定

% gh auth login
# ブラウザで連携しても、トークンで認証してもOK

一言

git-secret というパッケージがあるので間違えると混乱します。

1
1
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
1
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?