Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
feat(lab3): SSH signing + gitleaks pre-commit + history rewrite practice #4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
feat(lab3): SSH signing + gitleaks pre-commit + history rewrite practice #4
Changes from all commits
d0390ca08a70c6910a78dFile filter
Filter by extension
Conversations
Uh oh!
There was an error while loading. Please reload this page.
Jump to
Uh oh!
There was an error while loading. Please reload this page.
There are no files selected for viewing
Lab 3 — Submission
Task 1: SSH Commit Signing
Local configuration
git config --global gpg.format→ sshgit config --global user.signingkey→ ~/.ssh/DevSecOps.pubgit config --global commit.gpgsign→ trueLocal verification
Output of
git log --show-signature -1:GitHub verification
One-paragraph reflection (2-3 sentences)
What STRIDE-R (Repudiation) scenario would a forged-author commit enable in a real team's codebase? How does the Verified badge make that attack visible?
A forged-author commit could allow an attacker to add malicious code while pretending to be a trusted team member. This makes it difficult to know who actually made the change and who is responsible for it. The GitHub Verified badge helps prevent this by showing that a commit was signed by the real author. If a commit is unverified, reviewers can quickly see that the author's identity may not be trustworthy.
Task 2: Pre-commit + gitleaks
.pre-commit-config.yaml(paste the full content)pre-commit install output
The blocked commit
Output of the git commit that gitleaks blocked (the failing hook output):
Tune-out exercise
Suppose a teammate insists they need to commit AKIA* strings because they're documentation examples in docs/. Briefly describe two approaches:
Inline allowlist — [allowlist] block in .gitleaks.toml. When is this OK? This is acceptable when a file contains known fake credentials used for testing or documentation. It ignores only specific values while still allowing gitleaks to scan the rest of the file for real secrets.
Path exclusion — paths: [docs/] in .gitleaks.toml. When is this risky? This is risky because gitleaks will completely skip the excluded directory during scans. If someone accidentally commits a real API key or password inside docs/, the leak may go undetected.
Bonus: History Rewrite
Before
1c23df4 (HEAD -> master) docs: add usage notes 9b34ef1 feat: empty log 7a12b4c feat: add config fcb48fc initOutput of
git log -p | grep -c 'ghp_': 2After
e09a51d (HEAD -> master) docs: add usage notes a6a9943 feat: empty log 2112db1 feat: add config fcb48fc initOutput of
git log -p | grep -c 'ghp_': 0 Output ofgit log -p | grep -c 'REDACTED': 2The two-step pattern in real life
git filter-repo --replace-text replacements.txt— rewrite locallyTwo real-world gotchas you discovered (2 sentences each)