$ git clone git@glab.local:cicd/environment.sh
git: threat model
- external attacker
- authenticated access to an application
- RCE in a docker container
- access to a single server
- access to a developer’s workstation
hardcoded secrets
Not just String pass = "N0OneW1llG3tTh1s";
:
- secrets in automated tests and deployment configuration
- secrets in sample front-end code
- hard-coded signatures and HMAC keys
- testing credentials that “bypass” security checks
.git
directories
Access to the private Gitlab is not the only way attackers get git
access.
- exposure of a
.git
directory on - Git repositories used to pull configurations by build agents
.git
directories: demo
commits, pulls and branches
- leaked secrets may persist in commit history
- do not only scan the
main
branch - do not remove secrets by just committing a new version
trufflehog
trufflehog
usage: demo
third-party services + git: real-world example
found on Confluence
:
![](https://tenendo.com/wp-content/uploads/2022/10/Pasted-image-20220920154431.png)
after git clone
:
![](https://tenendo.com/wp-content/uploads/2022/10/Pasted-image-20220920154333-1024x299.png)