SEDATED® Project (Sensitive Enterprise Data Analyzer To Eliminate Disclosure)
The SEDATED® Project (Sensitive Enterprise Data Analyzer To Eliminate Disclosure) focuses on preventing sensitive data such as user credentials and tokens from being pushed to Git.
With the myriad of code changes required in today's CICD environment developers are constantly pushing code that could unintentionally contain sensitive information. This potential sensitive data exposure represents a huge risk to organizations (2017 OWASP Top Ten #3 - Sensitive Data Exposure). SEDATED® addresses this issue by automatically reviewing all incoming code changes and providing instant feedback to the developer. If it identifies sensitive data it will prevent the commit(s) from being pushed to the Git server.
**NOTE: ONLY lines being added or modified (beginning with +
in the patch file) in commit pushes are scanned by SEDATED®. Lines that are being removed (beginning with -
in the patch file) in commit pushes are NOT scanned by SEDATED®.
git clone https://github.com/OWASP/SEDATED.git
cd SEDATED/
.example
filescp /config/whitelists/commit_whitelist.txt.example /config/whitelists/commit_whitelist.txt
cp /config/whitelists/repo_whitelist.txt.example /config/whitelists/repo_whitelist.txt
cp /config/enforced_repos_list.txt.example /config/enforced_repos_list.txt
/config/custom_configs.sh
Variables and Functions (as desired)Push organization specific implementation of SEDATED® to organization's desired Git repository (GitHub, GitLab, Git, etc...).
pre-receive.sh
fileInstructions for accomplishing this on a GitHub Enterprise instance can be found in GitHub_Enterprise_Setup.md.
always_reject.sh
will need to be replaced with the SEDATED® pre-receive.sh
script.pre-receive.sh
script.pre-receive.sh
/config/custom_configs.sh
pre-receive.sh
allows organizations to customize their SEDATED® implementation without having to modify any of the source code within SEDATED®'s pre-receive.sh
file by providing built-in customizable variables and functions that are sourced from pre-receive.sh
./config/enforced_repos_list.txt
use_enforced_repo_check_custom
flag in config/custom_configs.sh
is set to "True"./*
to the end of the organization or username where enforcement is desired./config/enforced_repos_list.txt
file the pusher (if pushing from the command line) will see a customizable message (customize via the /config/custom_configs.sh
file) and SEDATED® will NOT scan any of the code included in the push./config/custom_configs.sh
and set to "True" or "False".
/config/enforced_repos_list.txt
will have SEDATED® "enforced" on them. All other repositories with SEDATED® "enabled" but not listed in the /config/enforced_repos_list.txt
file will only see a custom message displayed, no code will be scanned for pushes from those repositories.use_enforced_repo_check_custom
flag in config/custom_configs.sh
is set to "True"./config/regexes.json
pre-receive.sh
) with the -P
flag making them Perl-compatible regular expressions (PCREs)./testing/regex_testing/regex_test_script.sh
script the /testing/regex_testing/test_cases.txt
file will need to updated by adding or removing the test cases pertaining to the updated regexes so the results from the /testing/regex_testing/regex_test_script.sh
will be accurate.\
may be needed depending on the desired regexes since this file is in JSON format./config/whitelists/commit_whitelist.txt
/config/whitelists/commit_whitelist.txt.example
file.commit_whitelist.txt
) file when they encounter false positives so they can be reviewed./config/whitelists/repo_whitelist.txt
/config/whitelists/repo_whitelist.txt.example
file./testing/regex_testing/regex_test_script.sh
testing/regex_testing/test_cases.txt
is a simple, quick, offline way to test/validate that the regular expressions inside config/regexes.json
are valid and matching the desired patterns as well as excluding/not matching as desired.
/testing/regex_testing/test_cases.txt
) to verify regexes working as expected./testing/regex_testing/test_cases.txt
).-P
flag)./testing/regex_testing/test_cases.txt
./testing/regex_testing/test_cases.txt
/testing/regex_testing/regex_test_script.sh
for consumption.>>pass
or >>fail
appended to it these let the /testing/regex_testing/regex_test_script.sh
script know the expectation for the regexes.
>>pass
means a push containing the preceeding string will be accepted by SEDATED® (i.e. regexes will NOT flag the preceeding string).>>fail
means a push containing the preceeding string will be rejected by SEDATED® (i.e. regexes will flag the preceeding string).Custom variables and functions are designed to allow organizations to easily customize their own specific implementation of SEDATED® without altering the main pre-receive hook file that does all the heavy lifting. All custom variables and functions can be found in /config/custom_configs.sh
and the explanations of the variables contained in this file are listed below.
show_SEDATED_link_custom
- "True" to display link to OWASP/SEDATED GitHub repository (case-sensitive), otherwise set to "False".documentation_link_custom
- Add link to organization specific documentation on how the organization would like developers to handle rejected pushes and/or general organization specific information regarding SEDATED®.
use_enforced_repo_check_custom
- "True" or "False" (case-sensitive).
/config/enforced_repos_list.txt
for more details on the meaning of this flag.enforced_repo_check_true_message_custom
with custom message (only necessary if use_enforced_repo_check_custom
is set to "True").obfuscate_output_custom
- "True" or "False" (case-sensitive). Use this option to mask sensitive data displayed in the output of SEDATED®.SET_USER_REPO_NAME_CUSTOM
PRINT_ERROR_MESSAGE_CUSTOM
EXIT_SEDATED_CUSTOM
:
"do nothing" as an additional action, and is not required to be changed.UNABLE_TO_ACCESS_REPO_WHITELIST_CUSTOM
:
"do nothing" as an additional action, and is not required to be changed.PUSH_ACCEPTED_CUSTOM
:
"do nothing" as an additional action, and is not required to be changed.UNABLE_TO_ACCESS_REGEXES_CUSTOM
:
"do nothing" as an additional action, and is not required to be changed.exit 1
and print error message if unable to access regexes, however additional custom action may be performed in these cases if desired (i.e. print additional error message, log, send metric, etc...).PUSH_REJECTED_WITH_VIOLATIONS_CUSTOM
:
"do nothing" as an additional action, and is not required to be changed.UNABLE_TO_ACCESS_COMMIT_WHITELIST_CUSTOM
:
"do nothing" as an additional action, and is not required to be changed.Only compatible with SCM tools that utilize the Git version control system.
SET_USER_REPO_NAME_CUSTOM
will be required to set user/org and repo name..git/hooks/
directory (except documentation folder/files)..sample
from pre-receive.sample
and copy the code from SEDATED®'s pre-receive.sh
file into the pre-receive
file we just made from the .sample
file.SET_USER_REPO_NAME_CUSTOM
will likely be required to set user/org and repo name.You can contribute in either of the following ways:
SEDATED® is licensed under the BSD 3-Clause "New" or "Revised" License.
**SEDATED® is not guaranteed to flag every instance of hard-coded credential, key, secret, etc... it uses regex pattern matching and though it has gotten pretty good at catching most instances it is not perfect, but we are always open to ideas and/or pull requests to help make SEDATED® even better.