Skip to content

security-deriv/deployment_Precommit

Repository files navigation

Pending
  1. Change endpoint on server to some random value
  2. Add all office IPs to security group

Pre-Commit Deployment

App Server Request

  1. Mac - Check if trufflehog/brew is installed
    curl -X POST -d "serial_number=$SERIAL_NUMBER&username=$user&brew_installed=<Error Message> | none>&trufflehog_installed=<Error Message> | none>" https://REPLACE_WITH_ELB:8443/mac-<replace with random endpoint> -k -H "Authorization: token" 
- Parameters:
    - `serial_number` - Mac Serial Number
    - `username` - Mac Username
    - `brew_installed` - Error code: `BREW_NOT_INSTALLED`, if this is present, an alert would be sent to slack
    - `trufflehog_installed` - Error code: `TRUFFLEHOG_NOT_INSTALLED`, if this is present, an alert would be sent to slack
  1. Mac - Send test log to server
    curl -X POST -d "serial_number=$SERIAL_NUMBER&username=$user&test_log_md5=<Insert md5 hash test log>" https://REPLACE_WITH_ELB:8443/mac-test-log-<replace with random endpoint> -k -H "Authorization: token" 
- Parameters:
    - `serial_number` - Mac Serial Number
    - `username` - Mac Username
    - `test_log_base64` - MD5 hash of the test log file 
  1. Mac - Send pre-commit deployment log to server
    curl -X POST -d "serial_number=$SERIAL_NUMBER&user_log_base64=<Insert Base64 user log>" https://REPLACE_WITH_ELB:8443/mac-log-<replace with random endpoint> -k -H "Authorization: token"     
- Parameters:
    - `serial_number` - Mac Serial Number
    - `user_log_base64` - Base64 of the deployment log

Documentations

  1. Pre-commit & Pre-push installation
  2. Pre-commit Deployment tracker
  3. Pre-commit Dev Form

Scripts

  1. Trufflehog Installation
  2. Trufflehog Installation - Github Gist
  3. Pre-commit hook
  4. Deployment Script

QA Box Inventory List

  1. Inventory List

Deployment Plan

Overview

  1. Linux deployment - Jumpcloud
  2. MacOS deployment - Kandji
  3. Main slack channel - #temp_precommit_hooks_plan
  4. Create Slack channel for respective team temp_precommit_deployment_{TEAM_NAME} in order to communicate with the team
  5. A python server would be set up to receive deployment status through the deployment script
    • Fail condition:
      • Once deployed, there will be a pre-commit test run on https://github.com/harish-deriv/fake_repo_TEST9" that has secret in it
      • If no secret is detect, send a post request to the python server.
      • Note: Due to the default users (i.e. root and deriv) false positive would occur
  6. The deployment would need to be modified depending on the dev's environment
  7. Set up a AWS Instance for the python server
    • Used to receive logs from deployment script

Configurations

  1. The precommit bash script would be hosted on a public repository.
  2. The main precommit file would execute the bash script through curl and piped the output to /bin/bash.
  3. Reasons:
    • This would make maintaining the pre-commit much easier as future update can simply be performed update the repository.

QA Environment Deployment Plan

  1. Dev's are developing and pushing code through QA Box instead of local machine
  2. Add pre-commit configuration to QA Box chef code

Edge Cases

  1. If there are secrets in a brand new git repository (Does not have any commits before), trufflehog would not pick up the secrets.
    • One workaround would be to run git log on the repo if there is no commit it would return exit code of 128 instead of 0
    • If it a new repo use trufflehog filesystem . instead of trufflehog git file://.
    • This logic can be added to the pre-commit file

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published