How to Start Left with Security Using Git Pre-Commit Hooks

in DevOps , DevSecOps , Software Development

Magalix Shift Left with Git Web Hooks

There is a clear shift in development practices where engineers are taking on more and more responsibilities related to the underlying infrastructure. An example of this is the use of Kubernetes manifests to modify the structure of the application in a way that exposes ports or provides permissions that violate policy. Those considering how to start left with security can leverage the pre-commit hooks available in Git to validate these manifests prior to being committed to the code base.


    Starting Left Just Feels Right

    “Starting Left” is pretty simple in theory. In a typical CI/CD situation, security problems centered around permissions and surface area for attack are found after code has been compiled and deployed. If viewed as a physical pipeline that moves from left to right, these activities would show on the right side.

    In contrast, to Start Left with security means that you would scan for these types of breaking changes long before being deployed. In the case of pre-commit hooks, code meant for inclusion in a repository will be flagged. Doing so not only keeps new security violations from being released, it prevents it from being committed to the code base at all.

    Permissions Granted for More Surface Area

    Manifests used in Kubernetes are a good example of objects checked into code that can have unwanted effects when deployed. A lot of information in these manifests control the underlying infrastructure and permissions of an application or service. In order to maintain a secure environment, organizations must constantly run tools designed to find issues “after the fact.”

    Looking at the structure of the manifest, these extended permissions and other items have the ability to increase attack surface area. Starting Left using tools like git pre-commit hooks is the first line of defense against unwanted security risks. By requiring this small pre-check, many issues can be caught before being deployed to an environment. This method of using Git’s pre-commit hook function can be implemented in most any workflow.

    What is a Git Pre-Commit Hook?

    Simply put, a Git pre-commit hook allows for scanning of files for common issues. You may be used to using a tool called “lint” to check for code structure issues. This type of scanning as well as many others are included in the pre-commit hooks project. Syntax verification, file size restriction, and the ability to detect the use of private keys within code are all useful when using git pre-commit hooks to verify Kubernetes manifest files.

    We are all used to committing our code and having a code review completed prior to merging into a release branch. At this point, much of CI/CD automation has already taken place. It is possible that the committed code has already made it to the development environment. While this may be harmless in most situations, it may be a case where additional access to resources or permissions that were not intended can surface.

    In contrast, a pre-commit hook adds another step to the code commit process to do a few last-minute scans. These scans are meant to point out some of the more common issues as well as allow for custom rules to scan for newly introduced vulnerabilities. In the case of Kubernetes, these scans are completed against the manifest to keep things standardized and secure.

    Git Pre-Commit Hooks Installation and Usage Example

    In order to use this feature, the pre-commit framework needs to be installed. Using the instructions available at the pre-commit project homepage, we will install the package using the pip command line tool.

    $ pip install pre-commit

    Once installed, adding an initial configuration is simple. Go to your local project folder and run the following:

    $ pre-commit sample-config > .pre-commit-config.yaml

    This file contains the lines necessary to start using the pre-commit hooks listed here. There are a few entries by default. Note the correlation between the repo entry and the id of the hooks used. In this case, we are using hooks provided by pre-commit.

    repos:
    -   repo: https://github.com/pre-commit/pre-commit-hooks
        rev: v2.4.0
        hooks:
        -   id: trailing-whitespace
        -   id: end-of-file-fixer
        -   id: check-yaml
        -   id: check-added-large-files

    For our example, we are going to simulate a developer inserting a private certificate key. It is possible this would be used during development but is not something that should be committed to code. The git pre-commit hook for this scan is called detect-private-key. We will change the above .pre-commit-config.yaml file to include this by adding a new line.

    repos:
    -   repo: https://github.com/pre-commit/pre-commit-hooks
        rev: v2.4.0
        hooks:
        -   id: trailing-whitespace
        -   id: end-of-file-fixer
        -   id: check-yaml
        -   id: check-added-large-files
        -   id: detect-private-key

    After saving the file, running pre-commit install will set up the scripts for the hook in your project.

    $ pre-commit install
    pre-commit installed at .git/hooks/pre-commit

    That’s it! Every time a commit occurs, the pre-commit scripts will run automatically. Since this is the first time we have included the detect-private-key hook, we will run the full scans on all the files in the solution. Otherwise, the pre-commit hooks will only run on changed files during a commit.

    Example k8s_manifest.yaml (Note the RSA Private Key):

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      creationTimestamp: null
      labels:
        app: nginx
      name: nginx
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: nginx
      strategy: {}
      template:
        metadata:
          creationTimestamp: null
          pvtKey: -----BEGIN RSA PRIVATE KEY-----MIIEogIBAAKCAQEApnY3EbPWdz36+5vdyPsOHaSjd9d0Aj8uVt6d456xAgU9aPKTkK7c5nV1l6g
    CrKeknXWcN/lC9FkEBvzeAJuDScvxU80NLK6f7KNWyRCwmJ7yTEBwKXx8CgYEAss044OP3K65JBBW2QbpxK35IBsnRQjKDr9oEYv5oEyMJ49sqxobJcf2OfM
    WL96zckulWmBRxWqhETHUFkr0YavyBomiyiJDAJ1Phr+DfrE9zEouHIFQ6F6hxeNWMzXOZbavoCGyp5qj/nKkiZ+ssJ20RGQOb5EbAZ4Ne2eA57Bw=-----E
    ND RSA PRIVATE KEY-----
          labels:
            app: nginx
        spec:
          containers:
          - image: nginx
            name: nginx
            resources: {}
    status: {}

    When we run a scan against all files in the solution, this will cause a failure. The developer knows they must remove the offending code prior to being able to submit their work.

    $ pre-commit run --all-files

    Magalix Flawlessly Combines Automation with Policy-as-Code

    Much of what we have discussed today involves using a variety of tools used to start left with security. To extend that further, implementing Policy-as-Code promises to catch issues long before seeing them execute in a live environment. Magalix has used DevOps know-how to master these tools and has taken steps to provide hundreds of built-in policies.

    Have your own policies? Magalix integrates at any state of the CI/CD process to provide various checks you may already have employed. This, in addition to detailed analysis for compliance and policy adherence. Having all of this with the ability to provide detailed metrics and reporting will put teams far ahead of the game.


    Get similar stories in your inbox weekly, for free



    Share this story with your friends
    hebaeid
    Magalix

    Magalix is a cloud security enabler, leveraging security-as-code and compliance-as-code, to embed security at every stage of the software development lifecycle.

    Latest stories


    What Developers Think About GitHub Copilot

    GitHub Copilot is a controversial developer assistant introduced to the public in June 2021. It …

    Why Golang Is Widely Used in the DevOps and Cloud Native Space?

    The Golang programming language has been rising to popularity in the DevOps community in recent …

    The app used by the organization's staff for their activities, Facebook Workplace, is also down.
    Facebook, WhatsApp, Instagram Prolonged Downtime: Facts and Impacts

    A news report on a recent outage to the apps managed by Facebook inc.

    What are the criteria for selecting a Magento agency?

    Magento development company can help the business step up its eCommerce website to ensure its …

    7 Remote Working Tools That Simplify Your Work

    With the tools mentioned below, remote work has proven to become much more manageable.