Secure Your GitHub Repos! Prevent Merging AWS, Azure, and GCP Sensitive Credentials with GitHub Actions
Syed Mustafa Qamar
Posted on October 30, 2024
When working with cloud services, keeping your credentials secure is crucial. Accidentally exposing AWS, Azure, or GCP secrets in a GitHub repository can be a serious security risk. Thankfully, there are tools to prevent this — including git-secrets, a tool designed to help prevent committing sensitive information, such as passwords and API keys, into Git repositories.
What is Git-Secrets?
Git-Secrets is a tool that scans your Git commits and detects sensitive credentials, blocking them from entering your codebase. Originally developed by AWS, the tool scans your code for patterns and secrets tied to your configurations, like AWS keys and tokens, and prevents them from being pushed to Git repositories.
However, many articles about git-secrets only focus on configuring it in local environments. Additionally, AWS’s official version of git-secrets exclusively supports AWS, which might limit its scope if you’re working with other cloud providers like GCP and Azure.
In this article, I’ll guide you through configuring an enhanced version of git-secrets that supports scanning AWS, GCP, and Azure credentials, running directly in a GitHub repository using GitHub Actions. You can run a workflow to scan the secrets whenever a pull request is created to merge the code into your default/base branch. This approach brings enhanced security to your cloud projects without needing local setup for each developer if you are working in a team.
Setting Up GitHub Actions to Secure Your Cloud Credentials
To effectively use git-secrets on GitHub, we’ll start by configuring GitHub Actions and setting repository rules to enforce credential scanning on every pull request. Here’s how to set it up
Enable GitHub Actions
- Go to your GitHub repository’s Settings.
- Under Actions, navigate to the General tab.
- In Actions permissions, select Allow all actions and reusable workflows. This permission is essential for accessing the actions needed to scan for credentials.
Enforce Pull Request
Next, set up repository rules to require a pull request before merging any changes. This creates an additional review layer and ensures the workflow is triggered.
- In your repository’s Settings, go to Branches and select Add branch protection rule.
- Choose the main branch or your default branch, then set the rule to require a pull request before merging. Consider enabling options like requiring code review approvals as well.
To enforce the branch rule(s) you would need to use a work account. If you are using a personal account, validation checks will not block you from merging the code even if they fail but you would still see if the validation checks passed or not.
Create a GitHub Workflow
Finally, create a workflow file that will run git-secrets checks automatically on each pull request, scanning for any sensitive cloud credentials.
- Go to the Actions tab of your repository and click on New Workflow button.
- Click on set up a workflow yourself.
Paste the following workflow and commit your workflow in any of our branches.
name: Check for Secrets
on:
pull_request:
branches:
- main # Make sure this matches the branch you are merging into
jobs:
secrets-scan:
name: Scan for Secrets
runs-on: ubuntu-latest
steps:
- name: Checkout the code
uses: actions/checkout@v3
- name: Install git-secrets
run: |
git clone https://github.com/msalemcode/git-secrets.git
cd git-secrets && sudo make install
- name: Set PATH for git-secrets
run: |
echo "${{ github.workspace }}" >> $GITHUB_PATH # Add the cloned directory to PATH
- name: Configure git-secrets
working-directory: ${{ github.workspace }}
run: |
git secrets --install . # set up git secrets into the specific repository
git secrets --register-aws # set up regex patterns for AWS secrets
git secrets --register-azure # set up regex patterns for Azure secrets
git secrets --register-gcp # set up regex patterns for GCP secrets
- name: Run git-secrets to scan for sensitive data
run: git secrets --scan --recursive # scan the whole repository
Run the Workflow
Now that your workflow is all setup, just create a pull request to merge into your main or default branch and it will automatically run the workflow you created.
If the workflow finds any sensitive information from the code being merged, the validation will fail giving you an error similar to the following validation failure.
Conclusion
By implementing this GitHub Actions workflow, you strengthen your repository’s security by preventing the accidental commit of sensitive credentials. Instead of requiring each developer to configure git-secrets locally, this centralized approach automates credential scanning at the repository level. This ensures consistency, streamlines onboarding, and enforces best practices across the team, significantly reducing the risk of exposing AWS, Azure, or GCP credentials in your codebase.
Posted on October 30, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.