Talisman is a tool to validate code changes that are to be pushed out of a local Git repository on a developer's workstation. By hooking into the pre-push hook provided by Git, it validates the outgoing changeset for things that look suspicious - such as potential SSH keys, authorization tokens, private keys etc.
The aim is for this tool to do this through a variety of means including file names and file content. We hope to have it be an effective check to prevent potentially harmful security mistakes from happening due to secrets which get accidentally checked in to a repository.
The implementation as it stands is very bare bones and only has the skeleton structure required to add the full range of functionality we wish to incorporate. However, we encourage folks that want to contribute to have a look around and contribute ideas/suggestions or ideally, code that implements your ideas and suggestions!
Talisman can either be installed into a single git repo, or as a git hook template.
We recommend installing it as a git hook template, as that will cause Talisman to be present in any new repository that you 'init' or 'clone'.
You could download the
manually and copy it into your project/template
hooks directory --
or you can use our
curl https://thoughtworks.github.io/talisman/install.sh > ~/install-talisman.sh chmod +x ~/install-talisman.sh
If you run this script from inside a git repo, it will add Talisman to that repo. Otherwise, it will prompt you to install as a git hook template.
# Install to a single project cd my-git-project ~/install-talisman.sh
# Install as a git hook template cd ~ ~/install-talisman.sh
From now on Talisman will run checks for obvious secrets automatically before each push:
$ git push The following errors were detected in danger.pem The file name "danger.pem" failed checks against the pattern ^.+\.pem$ error: failed to push some refs to 'firstname.lastname@example.org:jacksingleton/talisman-demo.git'
If you're really sure you want to push that file, you can add it to
.talismanignore file in the project root:
echo 'danger.pem' >> .talismanignore
Note that we can ignore files in a few different ways:
If the pattern ends in a path separator, then all files inside a directory with that name are matched. However, files with that name itself will not be matched.
If a pattern contains the path separator in any other location, the match works according to the pattern logic of the default golang glob mechanism.
If there is no path separator anywhere in the pattern, the pattern is matched against the base name of the file. Thus, the pattern will match files with that name anywhere in the repository.
To contribute to Talisman, you need a working golang development environment. Check this link to help you get started with that.
Once that is done, you will need to have the godep dependency manager installed. To install godep, you will need to fetch it from Github.
go get github.com/tools/godep
Once you have godep installed, clone the talisman repository. In your working copy, fetch the dependencies by having godep fetch them for you.
To run tests
godep go test ./...
To build Talisman, we can use gox:
gox -osarch="darwin/amd64 linux/386 linux/amd64"
Contributing to Talisman
TODO: Add notes about forking and golang import mechanisms to warn users.