intermediate_git_presentation.html

<!DOCTYPE html>
<html lang="" xml:lang="">
  <head>
    <title>Intermediate Git and Github: Security</title>
    <meta charset="utf-8" />
    <meta name="author" content="Jenny Leopoldina Smith" />
    <meta name="date" content="2021-09-27" />
    <script src="libs/header-attrs-2.11/header-attrs.js"></script>
    <link href="libs/remark-css-0.0.1/default.css" rel="stylesheet" />
    <link href="libs/remark-css-0.0.1/default-fonts.css" rel="stylesheet" />
  </head>
  <body>
    <textarea id="source">
class: center, middle, inverse, title-slide

# Intermediate Git and Github: Security
## An Introduction
### Jenny Leopoldina Smith
### Fred Hutchinson Cancer Research Center
### 2021-09-27

---




name: intro

# Introduction

- I will be discussing some a very **general overview** of security when using Git and Github

--

.pull-left[
- This is not an exhaustive list 
  - The  goal is only to spread awareness of security issues
  
  - *Security practices change over time*
  
  - Be sure to periodically check around Github's blogs, or software you use (an example would be Docker containers or cloud services), or a friendly co-worker, occasionally to discuss 
]

.pull-right[
![my_image](https://github.blog/wp-content/uploads/2020/08/security-default.png?w=1200)
]

---

# Protect Against Secrets in Git Repositories

- This is an overview of the "best practices" highlighted in a post by the computational biologist Sean Davis&lt;sup&gt;1,2&lt;/sup&gt;, but its relevant to everyone.

--

- In this example, the author using github included their secret key for AWS directly into code + committed the change in a local repo. 
--

  - The key was used to access AWS and use resources the author was paying for! 

--

- To be proactive - check out [`git-secrets`](https://github.com/awslabs/git-secrets) to secure your passwords and sensitive information! 

&lt;!-- From the blog: re-phrase for presentation I deleted the GitHub repo and did some local checking and, in retrospect, realized my mistake. Git had dutifully saved the entire history of my project including a version of one file with AWS keys in it. Upon pushing to GitHub, the keys were there in the history. I breathed a sigh of relief that no harm had been done. --&gt; 

&lt;img src="https://i.ytimg.com/vi/4fZKJ90GVHg/mqdefault.jpg" width="40%" height="40%" style="display: block; margin: auto 0 auto auto;" /&gt;

--

.footnote[
[1] [Sean Davis, post on Medium](https://medium.com/@seandavis12/protect-against-secrets-in-git-repositories-a531038fac7e)

[2] [Sean Davis, post on Personal Blog](https://seandavi.github.io/post/protect-against-secrets-in-git-repositories/)

[3] Image credit: [github blog](https://github.blog/2021-01-11-github-security-features-highlights-from-2020/)
]


---

name: git-secrets-cont1

# git-secrets

- The code snippet is directly from the blog post.

  - If you use a Mac, installation is easy with `homebrew`

--

- To try it out, you can make toy git repo to test the functionality.

````markdown
```{bash}
# create an example git repo
mkdir secrets_example  #&lt;&lt;
cd secrets_example  #&lt;&lt;
git init  #&lt;&lt;
# now "install" the git-secrets hook
git secrets --install  #&lt;&lt;
```
````

---

name: git-secrets-cont2

# git-secrets

- once installed, list any secrects detected in your environment with `git secrets --list`

- Then add a simple example password to git-secrets configuration
  - Try to commit a file containing your password

--

````markdown
```{bash}
git secrets --add 'MyPASSWORD[0-9]+' #&lt;&lt;
echo 'MyPASSWORD123' &gt;&gt; test.file 
git add test.file #&lt;&lt;
git commit -m 'test file with password' #&lt;&lt;
```
````

- the output: `[ERROR] Matched one or more prohibited patterns`
.footnote[
Additional Info:  [best practices for AWS keys](http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html)
]
---
background-image: url(https://usethis.r-lib.org/logo.png)
background-position: right top

# R package: `usethis` for Guidance 

.pull-left[
- The package `usethis` provides a fantastic overview of getting started with git and github for beginner to advanced users. 
]

.pull-right[

]
--

- The [vignette](https://usethis.r-lib.org/articles/articles/usethis-setup.html) covers the following concepts:

--
  - How to get a free GitHub.com account and install Git.
--

  - Configure your Git user.name and user.email
--

  - Reviews how RStudio can find your Git executable
--

  - Reviews how you can pull/push from your local computer to GitHub.com, in general and from RStudio
--

  - Reviews how to get a personal access token (PAT) from GitHub.com and make it available in R sessions
--

---

# R package: `usethis` for Guidance

- To begin, install the package and configure your .Rprofile and git.

````markdown
```{r tidy=TRUE}
library(usethis) 
usethis::edit_r_profile() #Set HTTPS for github protocol
use_git_config(user.name = "Jane Doe", 
               user.email = "jane@example.com")
```
````

--

- Some useful functions from `usethis` for use with github are:
  1.  `create_project()`
  2.  `use_git()` and `use_github()`
  3.  `git_vaccinate()`
  4.  `git_sitrep()`
  5.  `gh_token_help()`

--

&gt; `git_vaccinate()` Adds .DS_Store, .Rproj.user, .Rdata, .Rhistory, and .httr-oauth to your global (a.k.a. user-level) .gitignore. This is good practice as it decreases the chance that you will accidentally leak credentials to GitHub.

---

background-image: url(https://usethis.r-lib.org/logo.png)
background-position: bottom center


# R package: `usethis` for Guidance

- To enable git and github, you will have to configure your PAT (personal access token)
  - It might seem overwhelming, but getting and setting up your PAT can be done! 

- Again, there is a [full article](https://usethis.r-lib.org/articles/articles/usethis-setup.html) from `usethis` covering the topic: "Managing Git(Hub) Credentials".

---

# Setting up Git Credentials

1) MacOS and Linux to [store credentials](https://docs.github.com/en/get-started/getting-started-with-git/caching-your-github-credentials-in-git) for GitHub over HTTPS
  -  Installatipn of a credenial manager `brew install --cask git-credential-manager-core`
  - "The next time you clone an HTTPS URL that requires authentication, Git will prompt you to log in using a browser window."
  
--

2) Another useful follow-up function is `usethis::gh_token_help()` which can provide helpful prompts! 

````markdown
• GitHub host: 'https://github.com'
• Host online: TRUE
• Personal access token for 'https://github.com': '&lt;discovered&gt;'
ℹ Call `gh::gh_whoami()` to see info about your token, e.g. the associated user
ℹ To see or update the token, call `gitcreds::gitcreds_set()`
✓ If those results are OK, you are good go to!
ℹ Read more in the 'Managing Git(Hub) Credentials' article:
  https://usethis.r-lib.org/articles/articles/git-credentials.html
````


---
background-image: url("images/tweet_example.png")
background-position: top right
background-size: 40% 80%

# Mistakes Happen 

.pull-left[
- Remember security is a community issue, and its always evolving. 
]
.pull-right[

]
--

- For example, the vignette from `usethis` has changed significantly over the last few years from storing your `.Renviron` file. 
&gt; This means we can stop storing GitHub PATs in plain text in a startup file, like .Renviron 4. This, in turn, reduces the risk of accidentally leaking your credentials.

--

- Leaks can and will happen. 
  - And there are active pushes to address these, with [secret scanning](https://github.blog/2021-01-11-github-security-features-highlights-from-2020/) enabled in github repos

--

  - As recently as mid-September 2021,`travis-ci` leaked nearly all users keys, passwords, and other sensitive information. 

---


name: end
class: center middle
# Thanks!

Please feel free to contact me: *JennyL.Smith12 [at] gmail.com*
  
.footnote[
    [1] Slides created with the R package [**xaringan**](https://github.com/yihui/xaringan).
]

    </textarea>
<style data-target="print-only">@media screen {.remark-slide-container{display:block;}.remark-slide-scaler{box-shadow:none;}}</style>
<script src="https://remarkjs.com/downloads/remark-latest.min.js"></script>
<script>var slideshow = remark.create({
"highlightStyle": "github",
"highlightLines": true,
"countIncrementalSlides": false
});
if (window.HTMLWidgets) slideshow.on('afterShowSlide', function (slide) {
  window.dispatchEvent(new Event('resize'));
});
(function(d) {
  var s = d.createElement("style"), r = d.querySelector(".remark-slide-scaler");
  if (!r) return;
  s.type = "text/css"; s.innerHTML = "@page {size: " + r.style.width + " " + r.style.height +"; }";
  d.head.appendChild(s);
})(document);

(function(d) {
  var el = d.getElementsByClassName("remark-slides-area");
  if (!el) return;
  var slide, slides = slideshow.getSlides(), els = el[0].children;
  for (var i = 1; i < slides.length; i++) {
    slide = slides[i];
    if (slide.properties.continued === "true" || slide.properties.count === "false") {
      els[i - 1].className += ' has-continuation';
    }
  }
  var s = d.createElement("style");
  s.type = "text/css"; s.innerHTML = "@media print { .has-continuation { display: none; } }";
  d.head.appendChild(s);
})(document);
// delete the temporary CSS (for displaying all slides initially) when the user
// starts to view slides
(function() {
  var deleted = false;
  slideshow.on('beforeShowSlide', function(slide) {
    if (deleted) return;
    var sheets = document.styleSheets, node;
    for (var i = 0; i < sheets.length; i++) {
      node = sheets[i].ownerNode;
      if (node.dataset["target"] !== "print-only") continue;
      node.parentNode.removeChild(node);
    }
    deleted = true;
  });
})();
(function() {
  "use strict"
  // Replace <script> tags in slides area to make them executable
  var scripts = document.querySelectorAll(
    '.remark-slides-area .remark-slide-container script'
  );
  if (!scripts.length) return;
  for (var i = 0; i < scripts.length; i++) {
    var s = document.createElement('script');
    var code = document.createTextNode(scripts[i].textContent);
    s.appendChild(code);
    var scriptAttrs = scripts[i].attributes;
    for (var j = 0; j < scriptAttrs.length; j++) {
      s.setAttribute(scriptAttrs[j].name, scriptAttrs[j].value);
    }
    scripts[i].parentElement.replaceChild(s, scripts[i]);
  }
})();
(function() {
  var links = document.getElementsByTagName('a');
  for (var i = 0; i < links.length; i++) {
    if (/^(https?:)?\/\//.test(links[i].getAttribute('href'))) {
      links[i].target = '_blank';
    }
  }
})();
// adds .remark-code-has-line-highlighted class to <pre> parent elements
// of code chunks containing highlighted lines with class .remark-code-line-highlighted
(function(d) {
  const hlines = d.querySelectorAll('.remark-code-line-highlighted');
  const preParents = [];
  const findPreParent = function(line, p = 0) {
    if (p > 1) return null; // traverse up no further than grandparent
    const el = line.parentElement;
    return el.tagName === "PRE" ? el : findPreParent(el, ++p);
  };

  for (let line of hlines) {
    let pre = findPreParent(line);
    if (pre && !preParents.includes(pre)) preParents.push(pre);
  }
  preParents.forEach(p => p.classList.add("remark-code-has-line-highlighted"));
})(document);</script>

<script>
slideshow._releaseMath = function(el) {
  var i, text, code, codes = el.getElementsByTagName('code');
  for (i = 0; i < codes.length;) {
    code = codes[i];
    if (code.parentNode.tagName !== 'PRE' && code.childElementCount === 0) {
      text = code.textContent;
      if (/^\\\((.|\s)+\\\)$/.test(text) || /^\\\[(.|\s)+\\\]$/.test(text) ||
          /^\$\$(.|\s)+\$\$$/.test(text) ||
          /^\\begin\{([^}]+)\}(.|\s)+\\end\{[^}]+\}$/.test(text)) {
        code.outerHTML = code.innerHTML;  // remove <code></code>
        continue;
      }
    }
    i++;
  }
};
slideshow._releaseMath(document);
</script>
<!-- dynamically load mathjax for compatibility with self-contained -->
<script>
(function () {
  var script = document.createElement('script');
  script.type = 'text/javascript';
  script.src  = 'https://mathjax.rstudio.com/latest/MathJax.js?config=TeX-MML-AM_CHTML';
  if (location.protocol !== 'file:' && /^https?:/.test(script.src))
    script.src  = script.src.replace(/^https?:/, '');
  document.getElementsByTagName('head')[0].appendChild(script);
})();
</script>
  </body>
</html>