Implementing Secret Scanning with git secrets, trufflehog, and Snyk Dependency Checks using GitHub Actions Workflows
Photo by Sebastian Svenson on Unsplash
I am learning about the basics of creating a blueprint for a secure CI/CD pipeline. Recently, I had the opportunity to implement secret scanning using git secrets and trufflehog, as well as integrate Snyk for dependency checks, all within GitHub Actions workflows. In this blog post, I will share my experience of implementing these tools and the steps I followed to enhance the security of my projects.
Part 1: Setting Up Secret Scanning with Git Secrets
To start, I wanted to ensure that my codebase was free from accidental exposure of secrets like API keys or passwords. I decided to use Git secrets to perform secret scanning within my GitHub Actions workflows. Here's how my journey unfolded:
Creating the Workflow File: I navigated to the .github/workflows
directory in my repository and created a new YAML file, which I named scanning_git_secrets.yml
, to define my workflow.
Defining the Workflow Trigger: I specified the events that should trigger the secret scanning workflow. I opted to trigger the workflow on both push
and pull_request
events to cover various scenarios.
name: Scan secrets using Gitleaks
on:
push:
pull_request:
Setting up the Workflow Steps: I added the necessary steps to install and run git secrets within the workflow. By leveraging the actions/checkout@v3
action, I fetched the repository code and ran git secrets on it.
jobs:
scan:
name: gitleaks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Committing and Pushing the Workflow File: Once I was satisfied with the workflow configuration, I saved the workflow file, committed it to my repository, and pushed the changes to trigger the secret scanning workflow.
Part 2: Identifying Secrets with trufflehog
In addition to git secrets, I wanted to perform another scan to try a different method and to ensure that I was not missing any potential secrets in my codebase. I decided to incorporate trufflehog into my GitHub Actions workflow. Here's what I did:
Updating the Workflow File: I opened a new file Trufflehog_scan.yml
workflow file and added the necessary steps to incorporate Trufflehog.
name: Scan secrets Trufflehog
on: [pull_request]
jobs:
ScanSecrets:
name: Scan secrets
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
ref: ${{ github.head_ref }}
- name: trufflehog-actions-scan
uses: edplato/trufflehog-actions-scan@master
Committing and Pushing the Workflow File: I saved the workflow file with the trufflehog integration, committed the changes, and pushed them to trigger the updated workflow.
Part 3: Checking for Vulnerable Dependencies with Snyk
To further enhance the security of my projects, I decided to incorporate Snyk for dependency checks on Python code. This would help me identify and address any vulnerabilities in my project dependencies. Here's how I integrated Snyk into my GitHub Actions workflow:
Updating the Workflow File: I opened the snyk_workflow.yml
workflow file and added the necessary steps to incorporate Snyk. The SNYK_TOKEN needs to be added to the GitHub repository under "Actions secrets and variables" to run the workflow.
name: Example workflow for Python using Snyk
on:
workflow_dispatch:
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/python@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --all-projects --severity-threshold=low --skip-unresolved
Committing and Pushing the Workflow File: Once I had integrated Snyk, I saved the workflow file, committed the changes, and pushed them to trigger the updated workflow.
Implementing secret scanning with git-secrets and trufflehog, along with integrating Snyk for dependency checks within GitHub Actions workflows, has significantly improved the quality and security of my codebase. I would like to explore linting using Github actions in the upcoming blogs.