How to get started with Talisman in 4 simple steps.
Looking for the best way to lock down your sensitive info? Talisman is a tool that installs a hook to your repository to ensure that potential secrets or sensitive information do not leave the developer’s workstation. At the starting point of our DevSecOps pipeline there are developers; remember, they’re humans! With this in mind, we must take care of our secrets. There are plenty of cases where sensitive information is accidentally pushed to our SCM—take a look into this sad story to get an idea of how bad a situation like that can all go.
Here is where tools like Talisman become helpful.
It validates the outgoing changeset for things that look suspicious - such as potential SSH keys, authorization tokens, private keys etc. Better yet, Talisman can also be used as a repository history scanner to detect secrets that have already been checked in so you can take an informed decision to safeguard secrets. Let’s take a look on how to get started.
Step #1: Install Talisman
In the following demo we’re going to configure Talisman for a single project so we proceed with the installation.
# Download the talisman installer script
curl https://thoughtworks.github.io/talisman/install.sh > ~/install-talisman.sh
chmod +x ~/install-talisman.sh
Step #2: Choose which script to execute
This will depend on our needs pre-push vs pre-commit. (For this example we chose pre-push).
# Install to our project
# as a pre-push hook
# or as a pre-commit hook
Step #3: Start the simulation
Now, we’re going to simulate a sensitive information leak.
# Make directory and generate some random data simulating sensitive info
mkdir sec-files && cd sec-files
echo "username=teracloud-user" > username
echo "password=teracloud-password" > password.txt
echo "apiKey=aPPs32988sab21SA1221vdsXeTYY_243" > ultrasecret
echo "base64encodedsecret=aPPs32988sss67SA1229vdsXeTXY_27777==" > secret
Step #4: Deploy the changes and push
Alright! We have some sensitive data in our repository, now lets commit the changes and push!
Oops! Something went wrong! (or not!)
Talisman scans our code before pushing and this is the result! It failed to push.
You can also ignore these errors if you find it best. Just create a .talismanrc file as shown in the output of our latest command (git push)
# Ignore a secret to allow the push into the remote repository
# Paste the desired secret that Talisman scan will ignore and push to the repo
- filename: sec-files/password.txt
Disclaimer: Secrets creeping in via a forced push in a git repository cannot be detected by Talisman. A forced push is believed to be notorious in its own ways, and we suggest git repository admins to apply appropriate measures to authorize such activities.
�� Have a question? For more info go to the official Talisman docs
If you are interested in learning more about our #TeraTips or our blog's content, we invite you to see all the content entries that we have created for you and your needs. And subscribe to be aware of any news! 👇