Discover and read the best of Twitter Threads about #productsecurity
Most recents (1)
How we monitor secrets committed in our self hosted @gitlab instance in real time ?
(Twitter thread which summarises multiple experiments)
#ProductSecurity #gitlab #security
(Twitter thread which summarises multiple experiments)
#ProductSecurity #gitlab #security
Use Pre-commit / Pre-receive / Post-receive git hooks ?
Pre-commit : scan for secrets before commit. Prevents committing secrets by devs
Problem: requires access to dev laptops (privacy issue?). Hard to manage regexes in their laptop. Harder in a company hiring lots of devs
Pre-commit : scan for secrets before commit. Prevents committing secrets by devs
Problem: requires access to dev laptops (privacy issue?). Hard to manage regexes in their laptop. Harder in a company hiring lots of devs
Pre-receive : scan for secrets before commits are saved in Gitlab. If secrets found reject. Easy to manage server controls.
Problem: If a person commits secret to code, server rejects push. The person requires (advanced) git skills to remove secret from git history
Problem: If a person commits secret to code, server rejects push. The person requires (advanced) git skills to remove secret from git history
