SEDATED icon indicating copy to clipboard operation
SEDATED copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Using SEDATED to scan git history

Open Asuza opened this issue 4 years ago • 3 comments

I just discovered this tool and it looks fantastic! I am wondering how difficult it would be to pipe data from git to SEDATED to spot existing commits that have matches before implementing it as a pre-commit hook. Does this seem feasible?

Asuza avatar Jun 22 '20 22:06 Asuza

While far from the perfect solution, I was able to tweak the GET_PUSHED_COMMIT_IDS_AND_BRANCHES function and update the condition from:

  if [[ "$latest_commit_id" == "$zero_commit" ]]; then

to

  if [[ "$base_commit_id" == "all" ]]; then
    list_of_commits=$(git rev-list --all)
    APPEND_TO_COMMITS_AND_BRANCHES "$list_of_commits" "$commits_and_branches" "$branch_name"
  elif [[ "$latest_commit_id" == "$zero_commit" ]]; then

This allows me to navigate to a git repository and run the following command

echo 'all' | ../../tools/SEDATED/pre-receive.sh

Which then finds problems in all of the commit history. I'm sure there's a better way to do it. This is just what is working for me at the moment.

Asuza avatar Jun 23 '20 22:06 Asuza

@SimeonCloutier is this a feature you would want to be part of SEDATED? The way I implemented it is not ideal, and I'm sure y'all would know how to implement it better than I have here. I can see SEDATED scanning through existing commits and allowing users to clean up their git history (outsided of SEDATED), then once their repo is cleaned up add SEDATED to their workflow to avoid future secrets from getting into the code.

Asuza avatar Jul 28 '20 15:07 Asuza

@Asuza this looks like a great idea! We would need to ensure this would be compatible with Windows/Mac/Linux machines as well. In your PR can you also document what this does and does not scan i.e. tags/PRs/branches/etc.

As a note, during our testing we have discovered there are different versions of grep out there and that can produce different results. This was one of the reasons we created the extensive regression testing suite, if you haven't already, we recommend utilizing that testing suite to validate you can still get accurate results on host machines prior to raising a pull request for this feature.

Love the idea though! Looking forward to your PR 😊

d3jk avatar Jul 29 '20 16:07 d3jk