Skip to content

Comments

Lab 3: configure SSH commit signing and implement a local pre-commit hook#441

Open
blxxdclxud wants to merge 8 commits intoinno-devops-labs:mainfrom
blxxdclxud:feature/lab3
Open

Lab 3: configure SSH commit signing and implement a local pre-commit hook#441
blxxdclxud wants to merge 8 commits intoinno-devops-labs:mainfrom
blxxdclxud:feature/lab3

Conversation

@blxxdclxud
Copy link

Goal

Complete Lab 3 tasks: configure SSH commit signing and implement a local pre-commit hook that blocks commits containing secrets.

Changes

  • labs/submission3.md — Lab 3 submission documenting:
    • SSH key generation, git signing config (gpg.format=ssh, commit.gpgSign=true), and analysis of why commit signing matters in DevSecOps supply chain context
    • Pre-commit hook setup, real test output showing Gitleaks blocking a commit with a fake RSA private key, and clean commit passing through
  • .git/hooks/pre-commit — Hook script (from lab spec) that:
    • Collects staged files, separates lectures/ from everything else
    • Runs TruffleHog (Docker) on non-lectures files for verified/unverified credential detection
    • Runs Gitleaks (Docker) per-file for pattern-based secret detection
    • Blocks commit on any secret found outside lectures/; allows with warning if only in lectures/ (educational content)

Testing

  • Local testing performed
  • Verified hook blocks commit when a fake RSA private key is staged (Gitleaks: WRN leaks found: 1, exit 1)
  • Verified hook passes on a clean staged file (both scanners: exit 0)
  • Verified submission3.md itself passes the hook scan before committing

Artifacts & Screenshots

Blocked commit output (Gitleaks catches fake RSA key):

[pre-commit] Scanning test_fake_key.txt with Gitleaks...
RuleID:      private-key
Entropy:     4.867224
1:27PM WRN leaks found: 1
✖ COMMIT BLOCKED: Secrets detected in non-excluded files.

Clean commit output:

[pre-commit] ✓ TruffleHog found no secrets in non-lectures files
[pre-commit] No secrets found in clean_test.txt
✓ No secrets detected in non-excluded files; proceeding with commit.

Checklist

  • Task 1 done — SSH commit signing setup
  • Task 2 done — Pre-commit secrets scanning setup

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant