Prevent Sensitive Data Leaks with Talisman (Simple 4-Step Setup)
top of page

How to get started with Talisman in 4 simple steps.


Looking for the best way to lock down your sensitive info? Talisman is a tool that installs a hook to your repository to ensure that potential secrets or sensitive information do not leave the developer’s workstation. At the starting point of our DevSecOps pipeline there are developers; remember, they’re humans! With this in mind, we must take care of our secrets. There are plenty of cases where sensitive information is accidentally pushed to our SCM—take a look into this sad story to get an idea of how bad a situation like that can all go.


Talisman-safeguards-a-possible-Data-leak

Here is where tools like Talisman become helpful.

It validates the outgoing changeset for things that look suspicious - such as potential SSH keys, authorization tokens, private keys etc. Better yet, Talisman can also be used as a repository history scanner to detect secrets that have already been checked in so you can take an informed decision to safeguard secrets. Let’s take a look on how to get started.


Step # 1: Install Talisman

In the following demo we’re going to configure Talisman for a single project so we proceed with the installation.

# Download the talisman installer script

curl https://thoughtworks.github.io/talisman/install.sh > ~/install-talisman.sh

chmod +x ~/install-talisman.sh



Step # 2: Choose which script to execute

This will depend on our needs pre-push vs pre-commit. (For this example we chose pre-push).


# Install to our project

cd teratip-talisman/

# as a pre-push hook

~/install-talisman.sh

# or as a pre-commit hook

~/install-talisman.sh pre-commit


-Install-to-our-project-cd-teratip-talisman/-#-as-a-pre-push-hook-~/install-talisman.sh-#-or-as-a-pre-commit-hook-~/install-talisman.sh-pre-commit


Step # 3: Start the simulation

Now, we’re going to simulate a sensitive information leak.


# Make directory and generate some random data simulating sensitive info

mkdir sec-files && cd sec-files

echo "username=teracloud-user" > username

echo "password=teracloud-password" > password.txt

echo "apiKey=aPPs32988sab21SA1221vdsXeTYY_243" > ultrasecret

echo "base64encodedsecret=aPPs32988sss67SA1229vdsXeTXY_27777==" > secret


Step # 4: Deploy the changes and push

Alright! We have some sensitive data in our repository, now lets commit the changes and push!

failed-to-push

Oops! Something went wrong! (or not!)

Talisman scans our code before pushing and this is the result! It failed to push.

error-failed-to-push-some-refs-to-"git@github.com:TomasTV/teratip-talisman.git"

You can also ignore these errors if you find it best. Just create a .talismanrc file as shown in the output of our latest command (git push)


ignore-the-aboive-files-from-talisman-detectors

# Ignore a secret to allow the push into the remote repository

vi .talismanrc

# Paste the desired secret that Talisman scan will ignore and push to the repo

fileignoreconfig:

- filename: sec-files/password.txt

checksum: 742a431b06d8697dc1078e7102b4e2663a6fababe02bbf79b6a9eb8f615529cb


Disclaimer: Secrets creeping in via a forced push in a git repository cannot be detected by Talisman. A forced push is believed to be notorious in its own ways, and we suggest git repository admins to apply appropriate measures to authorize such activities.

photo-of-tomas-torales




Tomás Torales

Cloud Engineer

Teracloud








References:

https://github.com/thoughtworks/talisman

https://thoughtworks.github.io/talisman/docs


�� Have a question? For more info go to the official Talisman docs

https://thoughtworks.github.io/talisman/docs



Entradas recientes
Buscar por tags
Síguenos
  • Twitter Basic Square
bottom of page