From 32e2d37dd347d9ad519c973af7334587f51e20d6 Mon Sep 17 00:00:00 2001 From: Klagarge Date: Tue, 15 Apr 2025 21:36:31 +0200 Subject: [PATCH 1/5] feat(ci): add Gitleaks job for secret scanning Signed-off-by: Klagarge --- .gitlab-ci.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b0acd34..ebb33f1 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -96,4 +96,12 @@ dast: script: - echo "Waiting for the app to start on http://app:5000" - timeout 60 bash -c 'until curl -s http://app:5000; do echo "Waiting..."; sleep 3; done' - - zap-full-scan.py -t http://app:5000 -I \ No newline at end of file + - zap-full-scan.py -t http://app:5000 -I + +gitleaks: + stage: test + image: + name: zricethezav/gitleaks:latest + entrypoint: [""] + script: + - gitleaks dir -v --redact=75 . From f6610ba524760ad24c4b49d63c48ed363340947c Mon Sep 17 00:00:00 2001 From: Klagarge Date: Tue, 15 Apr 2025 21:38:06 +0200 Subject: [PATCH 2/5] feat(pre-commit): add Gitleaks hook for secret scanning Signed-off-by: Klagarge --- .pre-commit-config.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b82f251..508cc25 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -12,6 +12,11 @@ repos: - id: pip-audit args: ["./src"] + - repo: https://github.com/gitleaks/gitleaks + rev: v8.24.2 + hooks: + - id: gitleaks + ci: # Leave pip-audit to only run locally and not in CI # pre-commit.ci does not allow network calls From 6c56c4cf3b6652cb1541450b45e71fa4a9704fe3 Mon Sep 17 00:00:00 2001 From: Klagarge Date: Tue, 15 Apr 2025 22:00:26 +0200 Subject: [PATCH 3/5] refactor(ci): merge some jobs on same stage Signed-off-by: Klagarge --- .gitlab-ci.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index ebb33f1..636b54f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -6,11 +6,9 @@ default: image: $DOCKER_IMAGE_TEST stages: - - build-docker-test - - build-docker-app + - build-docker - lint - test - - dast .setup_env: &setup_env before_script: @@ -59,7 +57,7 @@ pages: # This job runs only when Dockerfile changes docker-build-test: image: docker:latest - stage: build-docker-test + stage: build-docker services: - docker:dind script: @@ -76,7 +74,7 @@ docker-build-test: docker-build-app: image: docker:latest - stage: build-docker-app + stage: build-docker services: - docker:dind script: @@ -88,7 +86,7 @@ include: - template: Jobs/SAST.gitlab-ci.yml dast: - stage: dast + stage: test image: ghcr.io/zaproxy/zaproxy:stable services: - name: $DOCKER_IMAGE_APP From 2d592123d1405dbade28016b054ef6e9af3d4dda Mon Sep 17 00:00:00 2001 From: Klagarge Date: Tue, 15 Apr 2025 22:01:01 +0200 Subject: [PATCH 4/5] docs: add answers for questions 4.1 Signed-off-by: Klagarge --- docs/questions-part4.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/questions-part4.md b/docs/questions-part4.md index 2411829..7cfd8ab 100644 --- a/docs/questions-part4.md +++ b/docs/questions-part4.md @@ -5,3 +5,12 @@ - **Q4.1**: Often secrets are committed in a repository. Different research tools exist and help to detect this kind of dangerous forgotten credentials. Integrate a check in your pipeline for these kinds of problems. Have a look at . What kind of leaked secrets can you find in the git repo? Did the tool not find something that it should have found? Why? What possibilities exist to prevent this kind of leakage? - **Q4.2**: Try to find any possible problems in our used libraries (e.g. flask). The `pyproject.toml` describes all the additional libraries used by the application. You can use a dependency scanning (have a look here: ) to see if all imported libraries are safe. Do you find any problems? Integrate the scanning in your pipeline. - **Q4.3 (optional)**: API Fuzzing (and other kinds of DAST) is described at this page: . Choose one of the different description possibilities for your *calculator* API. Integrate it in your pipeline. + + +# Answers - Part 4 +## Q4.1 +GitLeaks can find strings like API keys, passwords, and other sensitive information that might be accidentally committed to a repository. This tool can only recognize them if they look like sensitive information. + +The scan of the git repository didn't detect the previous flask key because it was not in the format that GitLeaks recognizes. + +Usually, the best practice is to use environment variables to store sensitive information. This way, the information is not exposed in the code. From d7969fed3d18fd20d0a051bfcd8faf93358e4539 Mon Sep 17 00:00:00 2001 From: Klagarge Date: Tue, 15 Apr 2025 22:07:39 +0200 Subject: [PATCH 5/5] docs: add answers for questions 4.2 Copy answer from issue discussion to the right place Refs: #19 Signed-off-by: Alec Schmidt --- docs/questions-part4.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/questions-part4.md b/docs/questions-part4.md index 7cfd8ab..be8bd71 100644 --- a/docs/questions-part4.md +++ b/docs/questions-part4.md @@ -14,3 +14,13 @@ GitLeaks can find strings like API keys, passwords, and other sensitive informat The scan of the git repository didn't detect the previous flask key because it was not in the format that GitLeaks recognizes. Usually, the best practice is to use environment variables to store sensitive information. This way, the information is not exposed in the code. + +## Q4.2 +The Dependency scanning tool from GitLab linked by the teacher in the exercise cannot be used as it is limited to Gitlab Ultimate. I am looking into using an open-source solution + +After using three different scanning tools, no known vulnerabilities were found. + +Tools used : +- pyscan +- safety +- pip-audit