In this blog, we will talk more about how using git pre-commit hooks is one of the best practices in modern software development<\/a> lifecycles (SDLC).<\/strong> We will also discuss what it means to \u201cshift left\u201d as it applies to committing important files that may expose surface area or otherwise goes against policy.<\/p>\n Using git pre-commit hooks is comparable to using linting tools whose purpose is to check for correct syntax and formatting. The tool itself is a set of scripts that are kept along with the git information that is local to your PC. You can use them on multiple languages existing in the same repository. Its design allows for managing the installation and execution of the various hooks available without root access and on an as-needed basis.<\/strong><\/p>\n While this is very much something that aids in code reviews, it is also an initial part of an end-to-end solution for automated software delivery. With Infrastructure as Code (IaC), any changes in the infrastructure of a project need to consider the downstream effects. In the case of a Kubernetes manifest, this means ensuring you don\u2019t commit something like private key data to the repository.<\/p>\n Now let\u2019s look at how pre-commit hooks help you shift left.<\/strong><\/p>\n Shifting left is a practice getting a lot of attention in the software industry. OWASP stated<\/a> shifting left is geared towards keeping a pipeline and its resulting artifacts more secure. Take a Kubernetes manifest file, for example. This configuration file can expose various ports or credentials you should not commit to code. You can check these against policy with tools like git pre-commit hooks, similar to how developers use code linting tools.<\/p>\n By shifting left, teams can find and prevent issues much earlier in the SDLC process. This method is useful for finding quality, security and policy issues as early as possible.<\/strong> Enforcing these checks prior to reaching the codebase can prevent developers from using offending code in additional feature branches.<\/p>\n If a developer is not careful, they may inadvertently create more attack surface area for an application due to modifications done to the manifest file. These files, along with other files that hold settings, control much of the infrastructure or permissions used by an application. In many cases, the negative effects of these changes are not found until further down the line. Sometimes, even after being deployed to a production environment.<\/strong><\/p>\n This increased ability to have more surface area available for miscellaneous attacks is the drawback of giving those who may not have security at the top of mind more control. Using tools such as git pre-commit hooks allows for a quick pass over these critical configuration files to help with security. Injecting a git pre-commit hook into a development workflow can help surface these issues well before they are deployed to your various environments.<\/p>\n Prior to using pre-commit hooks, you should choose one of the methods of installation based on your development environment. In this example, we will look at an application that we will run inside a Kubernetes cluster.<\/p>\n To begin, we will install pre-commit using \u201cpip\u201d with the following command:<\/p>\n $ pip install pre-commit<\/strong><\/p>\n To verify it was installed, run the following:<\/p>\n $ pre-commit \u2013version<\/strong><\/p>\n An additional file called .pre-commit-config.yaml will be added to your project by running:<\/p>\n $ pre-commit sample-config > .pre-commit-config.yaml<\/strong><\/p>\n This basic configuration file has examples of commonly used hooks, but we want to ensure we install the hook that checks for the presence of a private key. Open the .pre-commit-config.yaml<\/strong> file and add the hook at the bottom:<\/p>\n Running pre-commit install results in creating the scripts to add the hooks to your project.<\/p>\n $ pre-commit install<\/strong><\/p>\n Once you complete these steps, a commit results in the pre-commit scripts running without any other actions needed by the developer.<\/p>\n Let us look at an example k8s_manifest.yaml file with a private key we do not want committed to code. The next command will scan the entire codebase. This ensures all the files are checked against the implemented rules.<\/p>\n In our example, since there is an RSA Private Key inside the manifest, our hook installed for \u201cdetect-private-key” will force a non-zero exit code.<\/p>\nGit Pre-commit Hooks, Defined<\/h2>\n
Why Shifting Left is the Right Direction<\/h2>\n
Keeping Things in Check<\/h2>\n
A Look at Git Pre-commit Hooks in Action<\/h2>\n
![\"Pre](\"https:\/\/centricconsulting.com\/wp-content\/uploads\/2022\/03\/Screen-Shot-2022-03-25-at-8.59.31-AM-1024x375.png\")
<\/a><\/p>\n![\"pre](\"https:\/\/centricconsulting.com\/wp-content\/uploads\/2022\/03\/Screen-Shot-2022-03-25-at-8.59.57-AM.png\")
<\/a><\/p>\n
![\"PRE-GIT](\"https:\/\/centricconsulting.com\/wp-content\/uploads\/2022\/03\/Screen-Shot-2022-03-25-at-9.00.14-AM.png\")
<\/a><\/p>\n