Gitleaks
💎Vulnerabiltiies to be discovered
The next vulnerabilities should be discovered in this sections:
UBUSEC-FLASK-SECRETS
⚙️Gitleaks setup
If you didn't set up the
Use
static-analysis profile's infrastructure, please do so by running the command docker-compose --profile static-analysis up.Use
docker exec --interactive --tty static-analysers bash to enter the container where the CLI application is contained.⚙️Coder setup
If you didn't set up the
Access this link to interact with the application's web user interface. Use the
static-analysis profile's infrastructure, please do so by running the command docker-compose --profile static-analysis up.Access this link to interact with the application's web user interface. Use the
oss-fortress password for login.📚Gitleaks documentation
The Gitleaks documentation is available here.
Steps
Scanning for leaked secrets
- Create a Gitleaks command to check the repository for leaked secrets and dump the warnings in a SARIF file,
/root/analysis/gitleaks.sarif. - Find a way to redact the secrets in the Gitleaks output.
- For each warning produced by Gitleaks, check if it is valid by using
git. Use the Coder instance in the Docker infrastructure to review the results.
🚧Solution
To display the solution of this task, enter the text i-surrender-to-the-code-security-gods in the field below.
Defining custom formats for secrets
- For all unidentified secrets from the codebase, create a custom Regex rule in a Gitleak configuration file,
/root/analysis/gitleaks.toml. - Find the configuration aspect that should be set to also keep the previously detected results.
🚧Solution
To display the solution of this task, enter the text i-surrender-to-the-code-security-gods in the field below.
Creating a baseline
- Adapt the command created in the first section to output in the JSON file in
/root/analysis/gitleaks.baseline.json. - Find the Gitleaks configuration to use the created JSON file as a baseline. The newly created SARIF output,
/root/analysis/gitleaks.diff.sarif, file shouldn't contain any warnings. - Include a new secret in the code and run the previous command again. Was the secret found?
🚧Solution
To display the solution of this task, enter the text i-surrender-to-the-code-security-gods in the field below.