Home

Awesome

SEDATED_logo_full

The SEDATED® Project (Sensitive Enterprise Data Analyzer To Eliminate Disclosure) focuses on preventing sensitive data such as user credentials and tokens from being pushed to Git.

Table of Contents

<a id="purpose">Purpose</a>

With the myriad of code changes required in today's CICD environment developers are constantly pushing code that could unintentionally contain sensitive information. This potential sensitive data exposure represents a huge risk to organizations (2017 OWASP Top Ten #3 - Sensitive Data Exposure). SEDATED® addresses this issue by automatically reviewing all incoming code changes and providing instant feedback to the developer. If it identifies sensitive data it will prevent the commit(s) from being pushed to the Git server.

**NOTE: ONLY lines being added or modified (beginning with + in the patch file) in commit pushes are scanned by SEDATED®. Lines that are being removed (beginning with - in the patch file) in commit pushes are NOT scanned by SEDATED®.

<a id="setup">Setup</a>

<a id="setup1">1. Clone down SEDATED®</a>

git clone https://github.com/OWASP/SEDATED.git

cd SEDATED/

<a id="setup2">2. Update .example files</a>

cp /config/whitelists/commit_whitelist.txt.example /config/whitelists/commit_whitelist.txt

cp /config/whitelists/repo_whitelist.txt.example /config/whitelists/repo_whitelist.txt

cp /config/enforced_repos_list.txt.example /config/enforced_repos_list.txt

<a id="setup3">3. Customize /config/custom_configs.sh Variables and Functions (as desired)</a>

<a id="setup4">4. Push SEDATED® with Organization Specific Implementation</a>

Push organization specific implementation of SEDATED® to organization's desired Git repository (GitHub, GitLab, Git, etc...).

<a id="setup5">5. Point pre-receive hook to SEDATED®'s pre-receive.sh file</a>

Instructions for accomplishing this on a GitHub Enterprise instance can be found in GitHub_Enterprise_Setup.md.

<a id="localTesting">Local Testing</a>

<a id="fileDescriptions">File Descriptions</a>

<a id="preReceive">pre-receive.sh</a>
<a id="customConfigs">/config/custom_configs.sh</a>
<a id="enforcedReposList">/config/enforced_repos_list.txt</a>
<a id="regexes">/config/regexes.json</a>
<a id="commitWhitelist">/config/whitelists/commit_whitelist.txt</a>
Optional: Request that developers submit pull requests to this (commit_whitelist.txt) file when they encounter false positives so they can be reviewed.
<a id="repoWhitelist">/config/whitelists/repo_whitelist.txt</a>
<a id="regexTestScript">/testing/regex_testing/regex_test_script.sh</a>
<a id="testCases">/testing/regex_testing/test_cases.txt</a>

<a id="customization">Customization</a>

Custom variables and functions are designed to allow organizations to easily customize their own specific implementation of SEDATED® without altering the main pre-receive hook file that does all the heavy lifting. All custom variables and functions can be found in /config/custom_configs.sh and the explanations of the variables contained in this file are listed below.

<a id="customVars">Custom Variables</a>

<a id="customFuncs">Custom Functions</a>

<a id="compatibility">Compatibility</a>

Only compatible with SCM tools that utilize the Git version control system.

<a id="contribute">Contribute</a>

Contributions to this project welcome!

You can contribute in either of the following ways:

<a id="authors">Authors</a>

<a id="license">License</a>

SEDATED® is licensed under the BSD 3-Clause "New" or "Revised" License.

<hr />

**SEDATED® is not guaranteed to flag every instance of hard-coded credential, key, secret, etc... it uses regex pattern matching and though it has gotten pretty good at catching most instances it is not perfect, but we are always open to ideas and/or pull requests to help make SEDATED® even better.