Use an existing tool and Git Hooks to activate a static analysis tool for a popular repository.
Software Quality Assurance (Auburn University, Spring 2023, Fall 2023)
Mobile Security (Tuskegee University, Fall 2023)
Pre-lab Content Dissemination
One negative perception of software quality assurance (SQA) is that it prohibits rapid deployment of software. That is why practitioners advocate SQA activities to be integrated into the software development and deployment process. To that end, in modern software engineering, practitioners prefer automated pipelines for security analysis. Instead of asking practitioners to look for security problems themselves, tools should do that for them.
In that spirit, we as a class will work with a python script to help you understand how Git hooks work. Specifically, you will learn how to create a Git hook that automatically runs basic static security checks on your Python code before each commit. This hands-on exercise will introduce you to how Git hooks can be used to catch common security issues early and help enforce secure coding practices during development
In-class Hands-on Experience
Create a GitHub account if you haven't yet.
Install git on your computer.
Install Python on your computer if you haven't yet.
Create a new folder inside any directory of your computer
Go to this folder and create a file named main.py and copy the following code and paste inside the file and save it and exit. You can use any editor you wish.
username = "admin"
password = "12345" # Insecure
print("Running the app...")
Now run this git init from your created folder
Now go to .git/hooks/ from your created folder
Run cp pre-commit.sample pre-commit
Open pre-commit file and remove all content inside it.
Copy the following code and save it
#!/bin/bash
echo "Scanning staged Python files for hardcoded passwords..."
files=$(git diff --cached --name-only --diff-filter=ACM | grep '\.py$')
for file in $files; do
if grep -Ei 'password\s*=\s*["'\''].*["'\'']' "$file"; then
echo "Hardcoded password found in $file! Commit rejected."
exit 1
fi
done
echo "No hardcoded passwords found."
Make this file executable by running the following command from terminal chmod +x .git/hooks/pre-commit from your created directory
Now run git add main.py from your created directory
Now run git commit -m "Test" from your created directory
You should not be able to commit because of hard coded password and you should see the following error
Hardcoded password found in main.py! Commit rejected.
Now how to fix this?
Export password in OS level by running the following command in anywhere from your terminal(for Linux and Mac)
export MY_PASSWORD="your-secret-password"
If you are in Windows, run the following command instead
set DB_PASSWORD=your-secret-password
Now reopen your original main.py file again and do the following and save:
import os
password = os.getenv("MY_PASSWORD")
username = "admin"
password = os.getenv("MY_PASSWORD") # The fix
print("Running the app...")
Now run git add main.py from your created directory
Now run git commit -m "Test" from your created directory
This time you should see
No hardcoded passwords found
[main (root-commit) ae3ab11] test
1 file changed, 3 insertions(+)
create mode 100644 main.py
Yay! we are secured now!
Post Lab Experience
Now you understand how Git can do more than just version control—it can enforce security rules.
Realize the importance of avoiding hardcoded secrets in real-world development
Hard coded password is one of many examples. However, please try modifying the Git hook to check for other sensitive keywords like token, api_key, email or secret etc