Hi there!

I want to talk today about DLP Nightfall. The Nightfall DLP Action scans your code commits upon Pull Request for sensitive information - like credentials & secrets, PII, credit card numbers & more - and posts review comments to your code hosting service automatically. The Nightfall DLP Action is intended to be used as a part of your CI to simplify the development process, improve your security, and ensure you never accidentally leak secrets or other sensitive information via an accidental commit. I tried to implement DLP with Github Actions and want to share my results

Github Action

Nightfall gives GitHub Action which can be used to scan Pull Request and Push in the branch. First you need to create a .github\workflows folder in the root of the repository and create a dlp.yml file in this folder. The file name can be any.

name: nightfalldlp
on:
  push:
    branches:
      - master
  pull_request:
jobs:
  run-nightfalldlp:
    name: nightfalldlp
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repo Action
        uses: actions/checkout@v2

      - name: nightfallDLP action step
        uses: nightfallai/nightfall_dlp_action@v0.0.7
        env:
          NIGHTFALL_API_KEY: ${{ secrets.NIGHTFALL_API_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          EVENT_BEFORE: ${{ github.event.before }}

In the on section it is specified that to start scanning on push in master branch and on Pull Request. Action has two steps, the first is to clone the repository the second is to run the scanner. Several env variables are required for the scanner to work. GITHUB_TOKEN is used so that the scanner can add comments to the PR it should have value secrets.GITHUB_TOKEN Comment

EVENT_BEFORE is required if the scanner starts at a push event. And its value must be github.event.before NIGHTFALL_API_KEY the last required variable, you can get it by registering at nightfall.ai. Once NIGHTFALL_API_KEY is received it needs to be added to GitHub Secrets Secret

Nightfall Configuration

Now when i finished with GitHub Action I need to create a configuration file for Nightfall. To do this, create a folder named .nightfalldlp and the file config.json in it. List of detectors that support nightfall.

{
  "detectors": [
    "CREDIT_CARD_NUMBER",
    "PHONE_NUMBER",
    "API_KEY",
    "CRYPTOGRAPHIC_KEY",
    "RANDOMLY_GENERATED_TOKEN",
    "US_SOCIAL_SECURITY_NUMBER",
    "AMERICAN_BANKERS_CUSIP_ID",
    "US_BANK_ROUTING_MICR",
    "ICD9_CODE",
    "ICD10_CODE",
    "US_DRIVERS_LICENSE_NUMBER",
    "US_PASSPORT",
    "EMAIL_ADDRESS",
    "IP_ADDRESS"
  ]
}

My configuration file looks shorter because the full one generates a lot of false-positive alarms. Example FalseErrorSample

Example of my file:

{
  "detectors": [
    "API_KEY",
    "CRYPTOGRAPHIC_KEY",
    "RANDOMLY_GENERATED_TOKEN",
    "EMAIL_ADDRESS",
    "IP_ADDRESS"
  ]
}

Now it’s all you need to push configuration for scanner to start. Even with this configuration, the scanner gives a lot of false-positive alarm results Error For example, I get such a error Suspicious content detected (3:***, type IP_ADDRESS) on "arn:aws:s3:::usershome/{{name}}-{{data}}/*" Or Suspicious content detected (ke********, type RANDOMLY_GENERATED_TOKEN) on "Resource": "arn:aws:kms:us-east-1:000000000:key/6a2b4d78-oy69-44ab-ce3d-43faca87fd14". Despite the false-positive part, the scanner allows you to find cluttered passwords and api keys