Talisman – Tool to Prevent Secrets from Getting Checked in

Talisman is a tool is to validate code changes that are to be pushed out of a local Git repository on a developer’s workstation. By hooking into the pre-push hook provided by Git, it validates the outgoing changeset for things that look suspicious – such as potential SSH keys, authorization tokens, private keys etc.

The aim is for Talisman to scan both file names & file content so that even potential problems embedded in source code and documentation can be caught.

Talisman -  Tool to Prevent Secrets from Getting Checked in
Talisman – Tool to Prevent Secrets from Getting Checked in

The following detectors execute against the changesets to detect secrets/sensitive information:

  • Encoded values – scans for encoded secrets in Base64, hex etc.
  • File content – scans for suspicious content in file that could be potential secrets or passwords
  • File size – scans for large files that may potentially contain keys or other secrets
  • Entropy – scans for content with high entropy that are likely to contain passwords
  • Credit card numbers – scans for content that could be potential credit card numbers
  • File names – scans for file names and extensions that could indicate them potentially containing secrets, such as keys, credentials etc.

After the installation is successful, Talisman will run checks for obvious secrets automatically before each commit or push (as chosen during installation). In case there are any security breaches detected, talisman will display a detailed report of the errors.

In case you have installed Talisman as a pre-push hook, it will scan the complete file in which changes are made.

You can read more and download this tool over here: https://github.com/thoughtworks/talisman

Notify of
Inline Feedbacks
View all comments