Skip to main content

A tool for managing secrets in Git with AWS Parameter Store integration.

Project description

git-secret-protector

spartan-git-secret-protector is a Python-based CLI tool designed to securely manage and protect sensitive files in your Git repositories. It integrates with AWS Parameter Store to encrypt and decrypt secrets, ensuring that your sensitive data remains secure throughout your development process.

Features

  • AES Key Management: Securely create, manage, and rotate AES data keys using AWS Parameter Store.
  • File Encryption/Decryption: Automatically encrypt and decrypt files in your repository based on patterns defined in the .gitattributes file.
  • Cache Management: Cache AES data keys locally to improve performance and reduce redundant calls to AWS Parameter Store.
  • Git Hooks Integration: Integrates with Git hooks to automatically manage secrets during Git operations.
  • Logging: Configurable logging for detailed tracking of operations and errors.

Install Guide

Requirements

You can install the git-secret-protector module via pipx:

pipx install git-secret-protector

Usage

1. Initial Setup

Set up AES key

Before using the tool, ensure you have the necessary AWS permissions to manage AWS MKS & SSM.

git-secret-protector init <filter_name>

NOTE: Perform this setup once per repository during initial configuration.

2. Configure Git Filters

onfigure the Git clean and smudge filters for the specified filter name

git-secret-protector init <filter_name>

3. Pull AES Key and IV

Before encrypting or decrypting files, it's necessary to retrieve the relevant AES keys from the AWS Parameter Store for specific filters:

git-secret-protector pull-aes-key <filter_name>

This command fetches the latest AES data key and IV from AWS Parameter Store for the designated filter and caches them locally for subsequent operations. This step ensures that you have the correct keys for encryption or decryption tasks related to the specified filter.

4. Key Rotation

Command to Rotate Keys

git-secret-protector rotate-key <filter_name>

This command will generate a new AES data key in AWS Parameter Store, re-encrypt your files associated with the specified filter with the new key, and update the local cache.

Post-Rotation Code Reset

After rotating the keys, it is necessary to clear the Git cache and re-checkout all files. This step ensures that the smudge filters are triggered, allowing the files to be decrypted with the new key.

# Remove all files from the index to clear the Git cache
git rm --cached -r .

# Force Git to re-checkout all files, triggering smudge filters
git reset --hard

5. View Encryption Status

Command to obtain a comprehensive overview of the encryption status of files within the repository:

git-secret-protector status

Configuration

All configurations are managed through a config.ini file located in the .git-secret-protector directory. You can customize the following settings:

  • Logging: Configure the log file path and rotation settings.
  • Module Name: Specify a custom module name for organizing keys in AWS Parameter Store.

Example .gitattributes File

Define which files to encrypt in your .gitattributes file:

secrets/*.tfstate filter=sample-app diff=sample-app
config/**/credentials/* filter=sample-shared diff=sample-shared

Logging

Logs are stored in the logs/ directory by default, and you can configure the log level and file rotation in the config.ini file.

Development

Running Tests

  • Unit Tests: Located in the tests/unit directory, run them using pytest.
  • Integration Tests: Located in the tests/integration directory, these tests interact with AWS Parameter Store and should be run manually.
poetry run pytest tests/unit

Changelog

See CHANGELOG.md for a history of changes and updates.

Support

If you encounter any issues or have any questions, please open an issue on the GitHub repository or reach out to our support team.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

git_secret_protector-0.4.0.tar.gz (10.1 kB view details)

Uploaded Source

Built Distribution

git_secret_protector-0.4.0-py3-none-any.whl (11.7 kB view details)

Uploaded Python 3

File details

Details for the file git_secret_protector-0.4.0.tar.gz.

File metadata

  • Download URL: git_secret_protector-0.4.0.tar.gz
  • Upload date:
  • Size: 10.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.1 CPython/3.12.5

File hashes

Hashes for git_secret_protector-0.4.0.tar.gz
Algorithm Hash digest
SHA256 3c5795f14a971786024be1d08f8b810f56d2e75403438d9eff7baf6529668e6f
MD5 be229b2f1ecee0ea11c539e1347c2699
BLAKE2b-256 7a38ef82a4e638aa6dee8a969e64aba4514349f7849c82c0f1787ce6e3d55acc

See more details on using hashes here.

File details

Details for the file git_secret_protector-0.4.0-py3-none-any.whl.

File metadata

File hashes

Hashes for git_secret_protector-0.4.0-py3-none-any.whl
Algorithm Hash digest
SHA256 cfeee4ac554760419aec53089fc28ca24924705d5fed8ecc6dbe30ef08e0c8b0
MD5 d29cef17abe161b06f1ba8026d062364
BLAKE2b-256 3800ee80aa5a0ae0bc039f75ffb7ab518d0c52c9673ccc61e466fb9f844aa2e8

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page