This folder comprises examples for implementing AWSLabs Git-Secrets, which is our default implementation for secrets scanning. As with any default, we expect teams to resolve any caveats as they best see fit, and of course to contribute to these examples.
Although we might be re-stating the obvious here, there's two main goals to consistent secrets scanning:
- Remove any secrets that may have been checked into the codebase in the past.
- Prevent any new secrets from making it into the codebase.
Essentially, we want to avoid the NHS facing potentially dire consequences due to exposure of secrets.
If your team isn't doing secrets scanning at all yet, the fundamental first step is to understand the current state of the art. Use the Macbook or Windows (coming soon...) guides to set up and run Git-Secrets for a nominated team member. Run the tooling, and ascertain whether there's any immediate actions to be taken.
Once you've verified there's no urgent actions on your code, the next steps towards getting to green are:
- Ensure every team member is doing local scans. Stopping secrets before code has been committed is cheap, removing them from git history is expensive.
- Run these same scripts as part of your deployment pipelines as a second line of defence.