 Hi, everyone. My name is Mackenzie and I'm here with my colleague Amrik to talk about secrets detection And we're going to go through some of the features and products that Git Guardian has to help you keep secrets out of your Git repositories Now, of course, it's really important to make sure that you don't have any sensitive information within your Git repositories But it's even better if we can prevent Sensitive information from getting there in the first place And this is why we have some great developer tools that enable you to make sure that secrets don't enter into your Git repositories So today I'm going to be running you through some of the developer tools that we have and talk about how we can create a pre-commit Git hook or CI pipelines within GitLab And then Amrik is going to take you through our full feature dashboard to show how Security teams or developers can investigate remediate Incidents that happen within their repositories and also view analytics to see the changes or how we're progressing in secrets detection So let's not waste any more time Why don't we jump into a demonstration of how you can set up a pre-commit Git hook within your repositories? So today on my screen. I have here just a Python project as a dummy project But it looks fairly similar to anyone that would have worked in Python before and we're going to use a product called Git Guardian shield which is an open source product from Git Guardian and Using this tool we can scan directories install pre-commit hooks or use it to install in our CI CD pipelines So to start with we need to install GG shield or good guardian shield onto our machine Now I'm going to use the Python package manager pip to do this, but you can use doggo or you can use brew whatever Tools you're used to working through but for me. I'm gonna go pip 3 install GG shield and There we have it. We've just installed GG shield onto our machine Now GG shield uses the Git Guardian API and its detection engine It does this so we can maintain the best possible secrets detection and also so that we can run Validability checks on the secrets that we find But to do is we need an API key. We can grab a free API key from the Git Guardian dashboard So you can sign up in a few minutes to the Git Guardian dashboard hit on down to the API tab and then just click on create new API We can add the scope just to scan which is what we're going to do today But if we want to have more power We can also manage bulk incidents and be able to kind of view more information using the incidence Scope, this is if you want to create your own dashboard to be able to view or remediate But today we're just going to go through and add that scan functionality Once we have our API key we can add it into a dot ENV file now Get Guardian shield will search in your environment variables for this API key But if you just put it in a dot ENV file, then it will automatically add it in there for you So it's very very simple. So now we have GG shield installed and we also have our API key in a dot ENV file We can go ahead and install a pre-commit git hook. So GG shield install M for mode and we're going to go local now local means that we're going to install it onto this particular Repository, but if I want to install it onto all the repositories I have on my machine that I can use the command global and it will install a pre-commit hook Everywhere on my machine for all of my repositories. So that's a great feature particularly if you're working in a lot of projects Okay, so now that we have our pre-commit hook installed Well, let's test to see if we can uncover any secrets with it. So I'm going to open up a file So I'm going to open up here a File called python server. You'll see in here. We have a contributed slack key variable I'm just going to paste into here a slack token. Now. This isn't a real slack token So don't try and exploit it, but it's close enough that it's going to trigger the detection engines So now that we have this slack key in there. I'm going to save this file and see if we can commit it Into our repository get add By some Okay, and let's commit this And what you'll see here is it's actually blocked that commit and it's let us know that online 10 in Our python Python underscore server file. We have a slack key So this is blocks that commits the obviously right now is the best time to try and conduct some remediation I can remove this added in into where I normally manage my secrets And I don't even need to tell anyone else about this because I can manage the entire incidents locally Now let's say that This isn't a real secret that is to placeholder and I really want to commit it into the repository anyway I don't want to get guardian shield to block it Now this is great because we can use the ignore char to do this So if I run the command gg shield ignore last Found What this does is it creates a brand new file for me Here called good guardian yaml and within this yaml file. We can see that it's added our char token That matches this This means that we can share this yaml file. We can include it Within our repository so that other people can also ignore the same secrets But at no point do we reveal the identity or the value of our api key So a great little feature for ignoring it. So now that I've ignored it I should be able to commit this into my repository without any trouble. So let's find out I'm going to use the same commit Voila, it's gone through no troubles at all. So let's see what happens when I push this into my repository So now I can head over to my git lab repository I see that that change has come through that push has come through But I've also added gg shield into my cicd pipeline within git lab So this means that even though I ignored that secret locally It should still be detected within the cicd pipeline. So let's see that if I head over to pipelines Yes, you'll see that the latest check actually failed. So let's go have a look and see what why that is We can see that git guardian has failed in that and We get the exact same message that we got in there and in our terminal And there you have it. This is just some of the developer tools that can help you prevent Committing secrets into your repositories But now americ is going to show you how this translates on the dashboard And how you can utilize the full features of this to get more out of your secrets detection experience So americ, I'll take it over to you. I'll leave it over to you Thanks a lot, mckenzie. That was great. So I'm going to be showing you the git guardian dashboard and UI in more detail So this dashboard as mckenzie mentioned is going to be scanning all of your git lab projects on a post-receive basis So that means that we're detecting secrets as soon as they arrive on the monitored code That you have implemented with git guardian. So looking at the perimeter section here I can see that I have two projects currently integrated By default at the very beginning We will show you a health status That will be unknown because we would not have performed a historical scan So the first thing the solution is going to ask you is to perform a full historical scan of your integrated projects so that we can tell you if any secrets have already been committed there So this is the case for project alpha and another one called sample secrets here And i'm going to click into it to show you how it looks So as you can see i'm taking to the incidence section here And I see that I have two secrets leaked in that project alpha repo one is a slack bottock and the other one is a juderic password What's interesting here And that doesn't show straight away is that we have a smart grouping feature So if any of those two keys are leaked multiple times in different projects or by different developers We're going to regroup them under the same secret incident to make it much more digestible For you as a developer for your security team So let me show you a secret incidence in more detail Okay, so as you can see I'm taking to this page where the only occurrence in this case is shown With the date the author The project name And you have a quick snapshot of the secret that was exposed Now top right hand side here you can assign a severity to the incidence This is something for which we'll all Soon have a playbook for so you can automatically assign severities to different incidents So a bit more will be coming on that You can assign the incident to somebody for to work on remediation But most interesting I think and this is for a feature that our customers particularly love is the collect feedback feature So when you're dealing with a lot of secret incidents, especially after your first historical scans This is a very powerful feature essentially You can share that incident only isolated from Isolated incident to the responsible developer so that they can provide feedback on it Sometimes it was the security team that looks at all this information doesn't really know If this is a sensitive secret or not, it might be a test credential for example And so the best person to inform them about that is going to be the developer So this feature enables you to share that unique link. Let me show you how that looks The developer has the same view essentially they see the commit patch here And they can submit feedback about the incidents now an additional feature that and this is heavily going to depend on your company culture is that you can also enable the developer to Remediate or ignore that incident so they could flag the secret as a as a true positive And say that had revoked it or on the other hand they can say well, no this is a test credential It's okay to be in the code What's great is that the developer provides that information and then the security team goes back to the dashboard and can you know have A very good understanding of what happened there and see exactly what the developer has done Okay, so now having a quick look at the analytics page This is going to give you an overview of how your team is performing in regards to secrets leaking within your repos Now the first thing that you can look at is the total number of secrets leaking on a weekly daily or monthly basis See how that evolves over time. You can also see Which secrets are the most vulnerable to being exposed within your code So maybe you can focus your efforts on different types of secrets there Looking at the perimeter analytics This is going to give you an overview of Which sources are the most impacted by the exposure of secrets or leakage of secrets within the code See how that evolves over time as well You know sometimes specific teams are assigned specific projects. Therefore you can Target your efforts on particular teams if you want to you know work on training or things like that And at the very bottom here You can track the performance of gg shield. So essentially if you implement The giggler in api for secrets sections of gg shield within your ci pipeline, for example, or as a pre-commit or a pre-push this will Give you data on the total number of scans conducted and then the percentage of commits that continue secrets there So you can see how that evolves over time and this you know could be a good Example in illustration of you know, how much the pre-commit for your hook is Leveraged within your organization and you know, how many secrets it's preventing from even entering your code base in the first place Yeah, so I'd like to finish off with a very short case study just to show the Efficiency of the solution. So here we're looking at one of our historical customers on this internal monitoring solution They're in this insurance industry to have around 400 developers And we've scanned over 200 000 commits for them So looking at the the statistics i'm going to show you today We're looking at the last six months versus the previous six months before that Now you can see that they actually decreased the total number of secrets detected within their repos by 50% So that's huge when you think about it And you know, similarly 65% less Sources or projects are impacted by the leakage of secrets And looking at the the pre-commit hooks. So they implemented that a couple months ago They're around 3% of pre-commit hooks are catching secrets. So there's quite a few Secrets that we're also helping them Well helping them prevent from ensuring their version And here you have it Mackenzie, I'll leave it back to you for some finishing thoughts Thanks, Amarik. That was great. Just a reminder that GitGuardian is free for developers and teams under 25 developers This includes all the developer tools and the dashboard that Amarik just showed you So you can sign up for that today at gitguardian.com. We'll head straight to dashboard.gitguardian.com And if you have any trouble to feel free to reach out to the sales team or myself through our contacts page So I hope you enjoyed the presentation and I hope these tools help you keep your repositories secrets free