How to get started with Talisman in 4 simple steps.

Looking for the best way to lock down your sensitive info? Talisman is a tool that installs a hook to your repository to ensure that potential secrets or sensitive information do not leave the developer’s workstation. At the starting point of our DevSecOps pipeline there are developers; remember, they’re humans! With this in mind, we must take care of our secrets. There are plenty of cases where sensitive information is accidentally pushed to our SCM—take a look into this sad story to get an idea of how bad a situation like that can all go.

Talisman-safeguards-a-possible-Data-leak

Here is where tools like Talisman become helpful.

It validates the outgoing changeset for things that look suspicious - such as potential SSH keys, authorization tokens, private keys etc. Better yet, Talisman can also be used as a repository history scanner to detect secrets that have already been checked in so you can take an informed decision to safeguard secrets. Let’s take a look on how to get started.

Step #1: Install Talisman

In the following demo we’re going to configure Talisman for a single project so we proceed with the installation.

# Download the talisman installer script

curl https://thoughtworks.github.io/talisman/install.sh > ~/install-talisman.sh

chmod +x ~/install-talisman.sh

Step #2: Choose which script to execute

This will depend on our needs pre-push vs pre-commit. (For this example we chose pre-push).

# Install to our project

cd teratip-talisman/

# as a pre-push hook

~/install-talisman.sh

# or as a pre-commit hook

~/install-talisman.sh pre-commit

Step #3: Start the simulation

Now, we’re going to simulate a sensitive information leak.

# Make directory and generate some random data simulating sensitive info

mkdir sec-files && cd sec-files

echo "username=teracloud-user" > username

echo "password=teracloud-password" > password.txt

echo "apiKey=aPPs32988sab21SA1221vdsXeTYY_243" > ultrasecret

echo "base64encodedsecret=aPPs32988sss67SA1229vdsXeTXY_27777==" > secret

Step #4: Deploy the changes and push

Alright! We have some sensitive data in our repository, now lets commit the changes and push!

Oops! Something went wrong! (or not!)

Talisman scans our code before pushing and this is the result! It failed to push.

error-failed-to-push-some-refs-to-"git@github.com:TomasTV/teratip-talisman.git"

You can also ignore these errors if you find it best. Just create a .talismanrc file as shown in the output of our latest command (git push)

ignore-the-aboive-files-from-talisman-detectors

# Ignore a secret to allow the push into the remote repository

vi .talismanrc

# Paste the desired secret that Talisman scan will ignore and push to the repo

fileignoreconfig:

- filename: sec-files/password.txt

checksum: 742a431b06d8697dc1078e7102b4e2663a6fababe02bbf79b6a9eb8f615529cb

Disclaimer: Secrets creeping in via a forced push in a git repository cannot be detected by Talisman. A forced push is believed to be notorious in its own ways, and we suggest git repository admins to apply appropriate measures to authorize such activities.

Tomás Torales

Cloud Engineer

Teracloud

References:

https://github.com/thoughtworks/talisman

https://thoughtworks.github.io/talisman/docs

�� Have a question? For more info go to the official Talisman docs

https://thoughtworks.github.io/talisman/docs

If you are interested in learning more about our #TeraTips or our blog's content, we invite you to see all the content entries that we have created for you and your needs. And subscribe to be aware of any news! 👇