Despite the project's capabilities, it has been hard to allocate time to its maintenance and therefore we decided to stop supporting shhbt's development.
Please use at your own descrition - no more patches should be incoming from our side while the project is set as archived
shhbt (shhgit for blue teams) is a modification of the original shhgit idea, to help blue teams target, and proactively detect and avoid leaking sensitive data into public repositories.
To do so, this tool integrates with different GitClients, and runs the core scanner at each merge/pull request. If it finds a secret, then it sets the status as failed (red, merge at your own risk), if not then it marks it as success.
The scanner also picks up custom configs from the repository. To write your own config, create a file called
.shhbt_config.yaml, and start adding your own keywords. Your config should work as a replacement of the original
config, not an extension.
Check the shhbt_config.yaml file to see how it is organised and add your own in your project!
This is an internal project developed at PaddyPower Betfair, and we use it in our own internal security controls. Despite that, contributions are more than welcome, and we would like to encourage any developer to contribute to the project, either with code, issue triaging, feature proposals, and other tweaks.
All contributors should be familiar and respect the code of conduct
To get started, please read the CONTRIBUTING.md
To install and set-up the tool to run, you need to install the requirements in an environment, add the minimum required variables, and get the server running. After getting the server running, you only need to configure the webhook in the project's settings.
Before that then, considering you are under an environment with Python 3.9, and in a Unix-based environment (Windows users, please adapt the commands accordingly):
git clone git@github.com/paddypowerbetfair/shhbt.gitcd shhbtpython -m venv envsource env/bin/activepip install -r requirements.txt- Create a
.envfile to contain, at least, the following keys and valid values:CONFIG_LOCATION(which should target theshhbt_config.yamlthat exists in this repository);GITLAB_URIandGITLAB_TOKEN. - If everything was done successfully, then running
flask runinside the project's directory will start a flask server.
Now that you have the server running, you either use a service like ngrok to set-up a secure tunnel, and to receive the hooks simply paste the link ngrok provides in the repository webhooks settings, or, if you installed it and are running in a remote server with that open port, you can use your server's IP to configure the webhook. In GitLab, the triggers you will need are push events, and merge requests events. It's recommended to use SSL.