Abstract

Talisman is an open source tool created by Thoughtworks, that installs a hook to your repository to ensure that potential secrets or sensitive information do not leave the developer’s workstation. It validates the outgoing changeset for things that look suspicious - such as potential SSH keys, authorization tokens, private keys etc. It supports MAC OSX, Linux and Windows. Talisman can be installed as pre-commit hook or a pre-push hook. Talisman, sits on your machine’s home (or a parent location of your choice where you keep all your git repositories) as a git hook, so that you can install it once and have Talisman taking care of secrets being accidentally pushed to VCS from your existing or new git repositories. Once installed, Talisman’s auto update mechanism takes care of updating new features to the installation whenever there is a new release of Talisman.

Talisman CLI support

Above, we figured out how Talisman prevents sensitive information leaving developer’s or QA’s machine and getting checked in to VCS. Which works perfectly for any new repositories that you create. Now, what about the secrets that were already checked in to an existing repository? How do you look at the complete git history and find out secrets which were accidentally checked in before and remove them? Talisman also supports a CLI tool as well which you can run from your repo and find out existing secrets in a git repository. Here’s how you can use the Git History Scanner support of Talisman CLI and potentially you can add it to your CI/CD pipeline to make secret scanning a part of your deployment process.