Code reviews are hard to do well. Particularly when youโre not entirely sure about the errors you should be looking for! The DevSecOps approach pushes security testing left so that vulnerabilities can be found and fixed earlier, in the design, development, or CI/CD stages of the workflow. Itโs always a good idea to check for security issues in code that you review. In case you donโt know what to look for, check out this series to give you pointers for your next code reviews!
Never store secrets as code/config
Itโs all too easy to store credentials, tokens or other secrets as variables or constants, because hey โ weโre just testing it to make sure itโs working. But just as easily this code makes its way into your code repository because you forgot to remove it. We urge you to make sure thereโs nothing sensitive in the code you look through. If youโre using a git-based code repository, there are a bunch of great tools available, like git-secrets, that can statically analyze your commits, via a pre-commit Git Hook, to ensure youโre not trying to push any passwords or sensitive information into your repo. Commits are rejected if the tool matches any of the configured regular expression patterns indicating that sensitive information has been stored improperly. This may slow down pushes a tiny bit, but itโs well worth it.
Having team-wide rules that prevent credentials from being stored as code is a great way to monitor bad actions in the existing developer workflow. Use tools like Vault to help manage your secrets when in production. Lastly, consider using an identity and user management toolchain, like Keycloak (currently maintained by a number of developers in Red Hat) as well as others.
There are many ways to avoid putting credentials into your repository in the first place and itโs best if you tried to implement as many as you can; however, thereโs always the chance some sensitive information may sneak in. You should also consider regularly auditing your repos, making use of tools like GitRob or truffleHog, both of which scan through your codebase, searching for sensitive information via pattern matching.
Want to know more
Check the complete Secure code review cheat sheet
Top comments (0)