Updated: Apr 25
Looking for the best way to lock down your sensitive info? Talisman is a tool that installs a hook to your repository to ensure that potential secrets or sensitive information do not leave the developer’s workstation.
At the starting point of our DevSecOps pipeline there are developers; remember, they’re humans! With this in mind, we must take care of our secrets. There are plenty of cases where sensitive information is accidentally pushed to our SCM—take a look into this sad story to get an idea of how bad a situation like that can all go.
Here is where tools like Talisman become helpful.
It validates the outgoing changeset for things that look suspicious - such as potential SSH keys, authorization tokens, private keys etc. Better yet, Talisman can also be used as a repository history scanner to detect secrets that have already been checked in so you can take an informed decision to safeguard secrets. Let’s take a look on how to get started.
Step # 1: Install Talisman
In the following demo we’re going to configure Talisman for a single project so we proceed with the installation.
# Download the talisman installer script
curl https://thoughtworks.github.io/talisman/install.sh > ~/install-talisman.sh
chmod +x ~/install-talisman.sh
Step # 2: Choose which script to execute
This will depend on our needs pre-push vs pre-commit. (For this example we chose pre-push).
# Install to our project
cd teratip-talisman/
# as a pre-push hook
~/install-talisman.sh
# or as a pre-commit hook
~/install-talisman.sh pre-commit
Step # 3: Start the simulation
Now, we’re going to simulate a sensitive information leak.
# Make directory and generate some random data simulating sensitive info
mkdir sec-files && cd sec-files
echo "username=teracloud-user" > username
echo "password=teracloud-password" > password.txt
echo "apiKey=aPPs32988sab21SA1221vdsXeTYY_243" > ultrasecret
echo "base64encodedsecret=aPPs32988sss67SA1229vdsXeTXY_27777==" > secret
Step # 4: Deploy the changes and push
Alright! We have some sensitive data in our repository, now lets commit the changes and push!
Talisman scans our code before pushing and this is the result! It failed to push.
You can also ignore these errors if you find it best. Just create a .talismanrc file as shown in the output of our latest command (git push)
# Ignore a secret to allow the push into the remote repository
vi .talismanrc
# Paste the desired secret that Talisman scan will ignore and push to the repo
fileignoreconfig:
- filename: sec-files/password.txt
checksum: 742a431b06d8697dc1078e7102b4e2663a6fababe02bbf79b6a9eb8f615529cb
Disclaimer: Secrets creeping in via a forced push in a git repository cannot be detected by Talisman. A forced push is believed to be notorious in its own ways, and we suggest git repository admins to apply appropriate measures to authorize such activities.
Tomás Torales
Cloud Engineer
Teracloud
References:
https://github.com/thoughtworks/talisman
https://thoughtworks.github.io/talisman/docs
�� Have a question? For more info go to the official Talisman docs
https://thoughtworks.github.io/talisman/docs