This document describes how to safeguard your sensitive information with integrated data loss prevention (DLP) in Secure Source Manager.
DLP in Secure Source Manager, enhances the security of your codebase by analyzing every commit pushed to your repositories, actively scanning for sensitive information that should be encrypted or removed. If such data is detected, DLP automatically rejects the push, preventing sensitive details from being inadvertently merged.
DLP in Secure Source Manager treats the following categories of information as sensitive:
- Encryption Keys: This includes items like SSH public keys.
- AWS Credentials: Access keys and secret keys for Amazon Web Services.
- GCP Credentials: Service account keys and other Google Cloud secrets.
- OAuth Client Secrets: Secrets used for application authentication using OAuth.
- Secret Keys: Sensitive keys used for authentication or authorization.
Enable data loss prevention
Ensure the following roles and settings are enabled for your repository.
Required roles
To get the permissions that
you need to enable Data Loss Prevention,
ask your administrator to grant you the
Secure Source Manager Repository Admin (roles/securesourcemanager.repoAdmin)
IAM role on the Secure Source Manager instance.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
For information on granting Secure Source Manager roles, see Access control with IAM and Grant users instance access.
Update repository settings
You can activate DLP for your repositories through the Secure Source Manager interface:
- Navigate to the repository where you want to enable DLP.
- Click the Settings icon.
- Locate the Data Loss Prevention toggle switch.
- Slide the toggle to the On position.
Working with DLP in Secure Source Manager
Once DLP is enabled, it actively monitors commits to your repository. If any sensitive information is identified in a commit, the system prevents the commit from being merged, and users receive an error message in their command-line interface indicating the presence of sensitive data. At this point, users have two options:
Revert the change
To remove the sensitive information, you can revert the problematic commit using the following command:
git reset --soft sha1-commit-id
Replace sha1-commit-id with the actual commit ID.
Because Git retains the history of all commits, sensitive material can still be
recovered from previous commits. To avoid this, use the git reset --soft
command. Then, correct the files and commit them again to remove the data from
the branch's recent history.
Force-push the commit (bypass DLP)
In specific situations where the detected information is deemed acceptable, users with appropriate permissions can choose to bypass the DLP check and force-push the commit:
git push -o dlpskip=true origin branch-name
Replace branch-name with the name of the branch you're merging.