twilio-labs/deadshot twilio-labs/deadshot

  • Stars
    star
    190
  • Rank 202,977 (Top 5 %)
  • Language
    Python
  • License
    MIT License
  • Created almost 4 years ago
  • Updated about 1 month ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
twilio-labs/deadshot
github

twilio-labs

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Deadshot is a Github pull request scanner to identify sensitive data being committed to a repository

Deadshot

Deadshot is a Pull Request scanner that looks for the introduction of secrets via PRs by matching each diff line against a set of known secret expressions.

Application capabilities:

Service is responsible for:

  • Real-time Pull Request diff processor to check for secrets being committed to Github via new code
  • Notify the user on the PR conversation if it flags something
  • Slack notify the security team channel when certain secrets are identified in code for which you've enabled slack notifications via a flag in regex.json

Service does NOT:

  • Do any static or dynamic code analysis

How does it work?

Deadshot is a Flask-Celery-Redis multi-container application that is installed as a Github app to run on every Pull Request created against the main branch of a repo on which the Github app is installed.

The Flask container is the entry point for the service by exposing API routes defined in blueprints.py. Once a Pull request payload is received on the API route the service forwards the payload to a Redis queue for the Celery container to pick up and scan through the diff of the Pull Request. After the celery container scans for specified secrets regular expressions, it comments on PRs, slack notifies the security team channel, or creates a JIRA ticket for the team to follow up on. The Github app is configured with the Flask API URL and a shared secret used for generating the payload SHA checksum.

One way the API URL can be setup is by deploying this code on an host and assigning a application load balancer to this host.

Creating a Github App

Note: When creating the app please make sure you have a DNS ready for host on which you'll be deploying Deadshot containers and a secure secret string for the webhook secret.

Github Admins would need to create and install a Github app on Github before running or deploying the Deadshot application. To know more about creating a Github app please read this guide

App Name: deadshot (All lower case. This is important as the service uses this name to fetch previous comments it has made on a PR)

Webhook URL: http(s)://your-hosted-deadshot-dns/api/v1/deadshot-webhook

To test this locally you can create a ngrok endpoint to feed into your Github app webhook section

Github App Permissions

For this application to work your Github app will have to enable the following permissions and subscriptions on the permissions page of the Github app: Repository Permissions:

  • Metadata: Read-only
  • PullRequests: Read & write
  • Webhooks: Read & write

All other permissions are left unchanged to the default value of No access

Subscribe to events:

  • Pull request
  • Pull request review

Finally click “Create GitHub App”. After successful app creation follow the “generate a private key” link in the top section of the app web page

Once the private key is generated store it in a secure location. This generated private key is one of the pieces of data used to generate a session token for app interaction.

After generating the private key, install the app on all the orgs you want it to monitor.

Running Deadshot

This is a multi-container application designed to bring up all three containers (Flask, Celery, Redis) via the /bin/run.sh, so running the Dockerfile image should bring up the entirety of the application

Environment variables:

Note: For deployment using docker-compose.yaml populate the these environment variables in localdev.env. If you're deploying this by building and running each container image individually via Dockerfile.api, Dockerfile.celery then the these environment variables are in the respective Dockerfiles

The three variables below are single string values provided by the user

The below environment variables load path to files with credentials in them. Load the json file key values in the files available here before running the application.

  • SECRET_GITHUB_SECRET: This variable loads github_secrets.json and has the Github app's shared webhook secret, integration ID, and the pem key. All these three secrets are obtained from the Github app settings page webhook secret - This is the secret configured during the app creation process integration ID - This is the app ID shown on the github app settings page pem key - this is the private key generated during the app installation process
  • SECRET_SLACK_WEBHOOKS: This slack_webhook.json and has the webhook URL to which the deadshot app will send slack notifications when it finds secrets in a PR for which you set slack_alert=True in regex.json
  • SECRET_JIRA_AUTH: This loads jira_user.json and has the username and password for the user ID to access the org's JIRA board Note: If you do not provide valid values in SECRET_SLACK_WEBHOOKS and SECRET_JIRA_AUTH the service will soft fail and print error messages about failure to initiate slack and jira methods in the docker container logs

Note: If you do not move the JSON secrets files location then you do not need to update the above three environment variables values already present in the Dockerfiles or docker-compose.yaml

Running/Serving the Docker Image

This command will use docker-compose.yaml to bring up all the containers. Please update configuration/environment/localdev.env with values relevant to your organisation before running the below command

make serve

Once you’ve done this and do not intend to use Dockerfile for serving the application then jump to “Server Healthcheck” section

Building and running the service using Dockerfiles

There are two ways to build and run the Dockerfiles. There are four Dockerfiles present in the repository, three of which are used to generate an individual image for each container needed for this service to work, and the fourth one is a Dockerfile setup to create a image that can be used to either bring up the Flask application or the celery worker depending on the DEADSHOT_RUN_MODE environment variable value (api or worker) provided To run any of the steps below you need to be present in the root folder of the repository

Note: Ensure you’ve updated the environment variables in Dockerfile.api and Dockerfile.celery files

Building images from individual Dockerfiles

There are three Dockerfiles relevant to this step. Dockerfile.api, Dockerfile.celery, and Dockerfile.redis

To build the Flask API image
docker build -f Dockerfile.api -t deadshot-api:<version> .
To build the celery image
docker build -f Dockerfile.celery -t deadshot-worker:<version> .
To build the redis image
docker build -f Dockerfile.redis -t deadshot-redis:<version> .

Running built images

The three images built in the previous steps all run in separate networks due to which they won't be able to talk to each other. To enable inter-container communications we need to add them to a container network

Create a docker network
docker network create deadshot-network

Run the images using the created network in the following order: Start redis container:

docker run --net deadshot-network --name redis deadshot-redis:<version>

Start celery container:

docker run --net deadshot-network deadshot-worker:<version>

Start Flask API container:

docker run --net deadshot-network -p 9001:9001 deadshot-api:<version>

Building and running a single image for Flask API container and celery worker container

This step is useful only if you have a orchestration that allows you to feed in environment variables, secrets and other configurations at deployment time. Please use the above method of running the containers if you don't have a configurable CI/CD setup.

To build a single docker image for bringing up the api and celery worker based on DEADSHOT_RUN_MODE environment variable

make build

This command will also create the redis image that is needed for service

If the built image is run with the environment variable DEADSHOT_RUN_MODE=api, it will bring up the Flask application If the image is run with environment variable DEADSHOT_RUN_MODE=worker then the celery worker will be initiated

Server Healthcheck

Now that the API is ready to receive requests navigating to http://localhost:9001/api/v1/heartbeat in a browser should return a valid response or you could do a curl

curl localhost:9001/api/v1/healthcheck

Both should show the following message: {"healthcheck": "ready"}

Running a Pull Request scan

If you have a webhook payload of the Github app for your Pull Request then you can run the following curl command locally to test your application:

curl -X POST -H "content-type: application/json" -H "X-GitHub-Enterprise-Host: github.mockcompany.com" -H "X-Hub-Signature: sha1=85df4936c6396c149be94144befab41168149840" -H "X-GitHub-Event: pull_request" -d @tests/fixtures/good_pr.json http://localhost:9001/api/v1/deadshot-webhook

Adding new regular expressions

If you want the tool to monitor other types of secrets then add your regular expressions in the regex.json file

Note: Entropy check flag allows you to look for high entropy findings in addition to the regular expression match

Limitations

At this time, Deadshot has only tested with Github Enterprise, but should work with Github cloud as well.

More Repositories

1

open-pixel-art

A collaborative pixel art project to teach people how to contribute to open-source
JavaScript
587
star
2

paste

Paste is a design system for designing and building consistent experiences at Twilio.
TypeScript
440
star
3

function-templates

Twilio Function templates for different Voice, SMS, Video, Chat, Sync, etc use cases
JavaScript
340
star
4

call-gpt

Generative AI phone call toolkit using Twilio Media Streams.
JavaScript
257
star
5

svg-to-react

Converts SVG assets into accessible React components with smart default props
TypeScript
155
star
6

actions-sms

Send an SMS through GitHub Actions
JavaScript
148
star
7

socless

The SOCless automation framework
Python
132
star
8

serverless-toolkit

CLI tool to develop, debug and deploy Twilio Functions
TypeScript
114
star
9

twilio-barista

☕️ Twilio-powered app for easy coffee ordering at events
JavaScript
95
star
10

dev-phone

A developer tool for testing SMS and Voice applications
JavaScript
74
star
11

twilio-aspnet

Integrate Twilio Programmable Messaging and Voice with ASP.NET Respond to webhooks with TwiML in seconds
C#
58
star
12

NgrokExtensions

Visual Studio integration with ngrok
C#
48
star
13

plugin-rtc

Twilio CLI plugin which supports developing and deploying real-time communication apps
JavaScript
38
star
14

plugin-signal2020

SIGNAL 2020 Developer Mode
TypeScript
36
star
15

plugin-flex-outbound-dialpad

Sample Twilio Flex plugin for a dialpad solution that allows for conferencing and supervisor monitor and external transfer
JavaScript
33
star
16

receptionist-bot-rs

Slack bot for self-servicing automation of common or predictable tasks.
Rust
32
star
17

code-exchange

Code guidelines, feature requests and bug reports for the Twilio CodeExchange
26
star
18

vscode-twilio

VS Code extension to work with the Twilio CLI
JavaScript
24
star
19

snyk-watcher

Python
21
star
20

plugin-serverless

Twilio CLI plugin to work with Serverless
JavaScript
21
star
21

plugin-flex-realtime-stats-dashboard

Sample Twilio Flex plugin for a real time stats solution
JavaScript
21
star
22

sample-autopilot-voice-ivr

Voice-Powered IVR Chatbot with Autopilot
JavaScript
20
star
23

gordon

Gordon is status check Github app to enforce and validate about.yaml file specifications in a repository during pull requests to drive code ownership at scale within an organization
Python
19
star
24

sample-template-nodejs

A template repository serving as the base for new Twilio sample apps
JavaScript
18
star
25

sample-conversations-masked-numbers

Masked Phone Numbers over SMS with Conversations
JavaScript
17
star
26

sample-appointment-reminders-node

Send automatic reminders about scheduled events using Node.js and Twilio SMS
JavaScript
17
star
27

masked-communications-app

TypeScript
16
star
28

twilio-firebase-extensions

A collection of Firebase Extensions for Twilio functionality.
TypeScript
16
star
29

plugin-agent-autoresponse

This Twilio Flex Plugin enables your agents to send canned responses when chatting with a customer.
JavaScript
15
star
30

serverless-api

Node.js library to manage deploy Serverless Functions
14
star
31

ml-training-api

A service template for asynchronous machine learning model training
Python
14
star
32

sketch-twilio-ipsum

A realistic fake data populator for Sketch.
JavaScript
13
star
33

create-twilio-function

A CLI tool to generate a new Twilio Functions project that can be run locally with twilio-run.
JavaScript
13
star
34

plugin-message-media

Send and receive message media in Twilio Flex
JavaScript
13
star
35

twilio-style

Twilio's shareable ESLint config
JavaScript
12
star
36

sample-flows-github-actions

Example of deploying Twilio Studio flows via GitHub Actions
JavaScript
12
star
37

plugin-queued-callbacks-and-voicemail

JavaScript
11
star
38

match

Match is a design system used to build accessible, consistent, and high quality public-facing experiences at Twilio.
TypeScript
11
star
39

ai-assistants-samples

HTML
11
star
40

plugin-webhook

Twilio CLI plugin to emulate webhook requests from Twilio
JavaScript
10
star
41

plugin-agent-notes

This Twilio Flex Plugin enables your agents to take notes when they are on-call or chatting with a customer. This is an introductory plugin where the notes are stored locally for your agents.
JavaScript
10
star
42

plugin-watch

Access and stream your Twilio debugger logs along with your calls and messages.
JavaScript
10
star
43

serverless-toolkit-moved

Twilio Serverless Toolkit allows you to locally develop, debug and deploy to Twilio Serverless
10
star
44

sample-autopilot-support-bot

This sample application shows how to build an automated SMS chatbot using Twilio's autopilot
JavaScript
9
star
45

netlify-okta-auth

Use Okta as your identity provider with Netlify's Role-based access control with JWT
TypeScript
9
star
46

socless-slack

SOCless Slack Integrations
Python
9
star
47

twilio-flex-sample-backend

Sample backend for a suite of Twilio Flex Plugin solutions
JavaScript
8
star
48

plugin-flex

Twilio CLI plugin to interact with the Flex Plugin Builder
JavaScript
8
star
49

vestlus

A conversational app.
TypeScript
8
star
50

twilio-anchore

Python library that you can use to develop applications and automate tasks using the Anchore API
Python
8
star
51

sample-pay-service

Payment over the phone
JavaScript
7
star
52

paste-prototype-kit

The Paste Prototyping Kit is a quick way to get up and running building a functional prototype using Paste components.
JavaScript
7
star
53

configure-env

Configures your project's environment by creating a .env file.
TypeScript
6
star
54

docusaurus-plugin-segment

Send page views in Docusaurus sites to Segment.
TypeScript
6
star
55

ai-assistants-js

TypeScript
6
star
56

languagetool-cli

LanguageTool CLI tool
TypeScript
5
star
57

sms-keyword-router

Redirect inbound SMS to multiple webhooks based on an initial keyword.
JavaScript
5
star
58

plugin-token

Twilio CLI plugin for generating access tokens for Twilio Chat, Video, etc.
JavaScript
5
star
59

frontline-hubspot-serverless-quickstart

Sample Frontline integration with Hubspot CRM using Twilio Functions to host integration service
JavaScript
5
star
60

socless_python

Python library for the SOCless Automation Framework
Python
4
star
61

plugin-emoji-picker-2.x

Add emojis to messages in Flex UI 2.x
TypeScript
4
star
62

about

Open-Source Projects by Twilions & the Community
4
star
63

frontline-salesforce-serverless-quickstart

A code example of integrating salesforce for Frontline callbacks
JavaScript
4
star
64

sample-sendgrid-email-events-nodejs

Showcases how email events and webhook security
JavaScript
4
star
65

twilio-tap-zendesk

Singer.io tap for Zendesk API
Python
3
star
66

runtime-helpers

A set of common utility code for use in Twilio Functions.
TypeScript
3
star
67

serverless-runtime-types

TypeScript definitions to define globals for the Twilio Serverless runtime
JavaScript
3
star
68

sample-preference-center

Preference Center using Sinatra
HTML
3
star
69

flex-plugins-utils

General utility methods used by various Flex Plugins repos
TypeScript
3
star
70

serverless-framework-integration

Serverless Framework plugin for Twilio Runtime
JavaScript
3
star
71

twilio-style-cli

Twilio Style CLI
TypeScript
2
star
72

CloudCityCakeCo-dotnet-mvc

C#
2
star
73

plugin-signal2021

Welcome to SIGNAL Developer Mode 2021
TypeScript
2
star
74

frontline-airtable-serverless-quickstart

JavaScript
2
star
75

plugin-verify

Twilio Flex plugin to authenticate users with the Verify API
JavaScript
2
star
76

twiml-i18n

A lightweight middleware designed to facilitate the internationalization (i18n) of Twilio Markup Language (TwiML) responses.
TypeScript
2
star
77

docusaurus-plugin-refresh-session

Docusaurus plugin to automatically refresh an authenticated session when a login token expires.
TypeScript
1
star
78

plugin-signal2022

TypeScript
1
star
79

socless-sumologic

SOCless Sumo Logic Integrations
Python
1
star
80

docusaurus-plugin-for-datadog-rum

Datadog RUM plugin for Docusaurus
TypeScript
1
star
81

socless-template

Template for creating SOCless Integrations
Python
1
star
82

formik-paste

simple declarative bindings for Formik and Twilio React Paste components
TypeScript
1
star
83

socless_repo_parser

Take a list of socless repo names and query the github api for their raw lambda .py files and serverless.yml, parsing key elements into a single json output to build a catalog of all available lambda functions in the ecosystem.
Python
1
star
84

omnioculus

See the danger, even when it cannot see you.
JavaScript
1
star