In this lab you’ll learn how to use GitHub Secret Scanning to protect your secrets on the repository.
Go to your GitHub account and click on your profile picture.
Click on Settings.
On the left side, click on Developer settings.
Click on Personal access tokens > Tokens (classic).
Click on Generate new token > Generate New Token (classic).
Add a name for your token, scroll down and click on Generate token.
You’ll get a token and copy it.
On the repo used on last lab, create a file called gh-token and paste the token.
Open your terminal and run the following command:
az ad sp create-for-rbac -n <your_name>_sp > azure_sp.json
Replace <your_name> with your name using first letter of your first name and full last name.
Check that you may have to login to your Azure account and use the credentials provided by training team. You should not use your company credentials.
Check the content of the file azure_sp.json. You should get a JSON with the following content:
{
"appId": "your_app_id",
"displayName": "your_name_sp",
"password": "your_password",
"tenant": "your_tenant"
}
Add the files gh-token and azure_sp.json to the repo.
No, let’s commit the files using the following commands:
git add gh-token azure_sp.json
git commit -m "Add secrets"
You should get Talisman warnings, please ignore them for now and add both files to the .talismanrc file.
Now push the files to the remote repository:
git push
Go to your repo on GitHub and click on Settings.
Scroll down on that page and find a button named Change visibility.
Follow the steps to change the repo visibility to public.
Then, select the option Code scanning on left menu of Settings.
Scroll down until find Secret scanning block and enable it and Push Protection too.
Go to the Security tab on the repo (on the menu where you find the Code tab).
You should see two security alerts for the files you’ve pushed.
Navigate on them and check the details.
Now return to the place where you create you GitHub PAT token and check it was automatically revoked.
Now repeat the steps Step 01 and Step 02 to get new tokens.
When creating the SP, please pay attention on the SP name that must be different from the first one.
On both steps you should create new files to add the data: gh-token2 and azure_sp2.json.
Now let’s commit the files using the following commands:
git add gh-token2 azure_sp2.json
git commit -m "Add secrets"
You should get Talisman warnings, please ignore them for now and add both files to the .talismanrc file.
Now push the files to the remote repository:
git push
You should get an error on the push. Check the error message and follow the instructions to force the add of both files.
Go to the Security tab on the repo (on the menu where you find the Code tab).
You should see two new security alerts for the files you’ve pushed.
Navigate on them and check the details.
Check again the place where you create you GitHub PAT token and check it was automatically revoked.
Delete the files gh-token, azure_sp.json, gh-token2 and azure_sp2.json from the local repo.
Commit the changes and push them to the remote repository, using the following commands:
git add -A
git commit -m "Clean up secrets"
git push
Even though you’ve deleted the files from the repo, they are still on the git history.
If you clone the repo again, you’ll get the files and you can navigate back on the history to get them.
So you need to be sure that the files are not on the git history.
In this case, knowing that repo don’t have too many commits, you could use a git rebase to remove the files from the history.
But when you have a lot of commits, you should use a tool like git filter-branch to remove the files.
Let’s check how that tool works.
First, let’s get git history of the files you want to remove:
git log -p -- gh-token
You should get a list of commits that added the file.
On your local repo, run the following command:
git filter-branch --force --index-filter 'git rm --cached --ignore-unmatch gh-token azure_sp.json gh-token2 azure_sp2.json' --prune-empty --tag-name-filter cat -- --all
Now let’s confirm that you don’t have any history of the files:
git log -p -- gh-token
And you should get an empty list.
Now, push the changes to the remote repository:
git push origin --force --all
Go to the repo on GitHub and check that the files are not there anymore.
Navigate on the history and check that the files are not there anymore.
Clone the repo again on a new folder and check that the files are not there anymore.
You’ve learned how to use GitHub Secret Scanning to protect your secrets on the repository.
You’ve also learned how to clean up the git history to remove files that were added by mistake.