防止 Git 泄漏的 5 种最佳做法 #6907
Merged
防止 Git 泄漏的 5 种最佳做法 #6907
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
防止 Git 泄漏的 5 种最佳做法
Closed
|
校对认领 |
QinRoc
reviewed
Apr 13, 2020
|
|
||
| 1. Any configuration data, including password, API keys, AWS keys, private keys, etc. | ||
| 2. [Personally Identifiable Information](https://en.wikipedia.org/wiki/Personal_data) (PII). According to GDPR, if a company leaked the users’ PII, the company needs to notify users, relevant departments and there will be more legal troubles. | ||
| 1. 任何配置数据,包括密码,API 密钥,AWS 密钥,私钥等。 |
There was a problem hiding this comment.
「包括密码,API 密钥,AWS 密钥,私钥等」 => 「包括密码、API 密钥、AWS 密钥和私钥等」
|
|
||
| Attackers can easily find some code with a company copyright on GitHub, which was accidentally leaked to Github by employees. | ||
| 攻击者可以在 GitHub 上轻松的找到某些具有公司版权的代码,而这些代码都是无意中被员工泄露在 Github 上。 |
|
|
||
| Attackers can easily find some code with a company copyright on GitHub, which was accidentally leaked to Github by employees. | ||
| 攻击者可以在 GitHub 上轻松的找到某些具有公司版权的代码,而这些代码都是无意中被员工泄露在 Github 上。 |
There was a problem hiding this comment.
「而这些代码都是无意中被员工泄露在 Github 上」 => 「而这些代码都是被员工无意中泄露到 Github 上的」
|
|
||
| This project’s [gitignore](https://github.com/github/gitignore) is a collection of useful .gitignore templates, with all kinds of programming language, framework, tool or environment. | ||
| [这个项目的 .gitignore](https://github.com/github/gitignore) 是一个实际使用着的 .gitignore 模板集合,其中包含各种编程语言文件、框架、工具或环境配置文件。 |
There was a problem hiding this comment.
「这个项目的 .gitignore」 => 「这个 gitignore 项目」
|
|
||
| This project’s [gitignore](https://github.com/github/gitignore) is a collection of useful .gitignore templates, with all kinds of programming language, framework, tool or environment. | ||
| [这个项目的 .gitignore](https://github.com/github/gitignore) 是一个实际使用着的 .gitignore 模板集合,其中包含各种编程语言文件、框架、工具或环境配置文件。 |
There was a problem hiding this comment.
「其中包含各种编程语言文件、框架、工具或环境配置文件」 => 「其中包含对应各种编程语言、框架、工具或环境的配置文件」
|
|
||
| **Remember to backup before any cleanup, and then remove the backup clone after we confirmed everything is OK**. | ||
| **请记住在进行任何清理之前务必先进行备份,然后在确认一切正常后再删除备份文件。** |
There was a problem hiding this comment.
「请记住在进行任何清理之前务必先进行备份」 => 「在进行任何清理之前请记得进行备份」
|
|
||
| ```bash | ||
| git clone --mirror git://example.com/need-clean-repo.git | ||
| ``` | ||
|
|
||
| We need **git filter-branch** to remove data from all branches and commit histories. Suppose we want to remove `./config/passwd` from Git: | ||
| 我们需要执行 **git filter-branch** 来从所有分支中删除数据并提交历史记录。 |
There was a problem hiding this comment.
「我们需要执行 git filter-branch 来从所有分支中删除数据并提交历史记录。」 => 「我们需要执行 git filter-branch 命令来从所有分支中删除数据和提交历史记录。」
| We need **git filter-branch** to remove data from all branches and commit histories. Suppose we want to remove `./config/passwd` from Git: | ||
| 我们需要执行 **git filter-branch** 来从所有分支中删除数据并提交历史记录。 | ||
|
|
||
| 下面举个例子,假设我们要从 Git 中删除 `./ config / passwd`: |
There was a problem hiding this comment.
「./ config / passwd」 => 「./config/passwd」
|
|
||
| If the leaked Git repository is forked by others, we need to follow the [DMCA Takedown Policy](https://help.github.com/en/github/site-policy/dmca-takedown-policy#c-what-if-i-inadvertently-missed-the-window-to-make-changes) to ask Github to remove the forked repositories. | ||
| 如果泄漏的 Git 代码库是由其他人创建的,我们需要遵循 [DMCA](https://help.github.com/en/github/site-policy/dmca-takedown-policy#c-what-if-i-inadvertently-missed-the-window-to-make-changes) 的删除策略,要求 Github 删除创建的代码库。 |
There was a problem hiding this comment.
「如果泄漏的 Git 代码库是由其他人创建的」 => 「如果泄漏的 Git 代码库被其他人分叉了」
|
|
||
| If the leaked Git repository is forked by others, we need to follow the [DMCA Takedown Policy](https://help.github.com/en/github/site-policy/dmca-takedown-policy#c-what-if-i-inadvertently-missed-the-window-to-make-changes) to ask Github to remove the forked repositories. | ||
| 如果泄漏的 Git 代码库是由其他人创建的,我们需要遵循 [DMCA](https://help.github.com/en/github/site-policy/dmca-takedown-policy#c-what-if-i-inadvertently-missed-the-window-to-make-changes) 的删除策略,要求 Github 删除创建的代码库。 |
There was a problem hiding this comment.
「要求 Github 删除创建的代码库」 => 「请求 Github 帮助删除分叉的代码库」
|
校对认领 |
Raoul1996
reviewed
Apr 13, 2020
|
|
||
| ## Use Git ignore | ||
| ## 使用 Git 忽略 |
There was a problem hiding this comment.
我觉得还是翻译一下吧,不过我在后面都把原词也标出来了
|
|
||
|  | ||
|
|
||
| ## Check commits with Git hooks and CI | ||
| ## 使用 Git 钩子 和 CI 检查提交 |
|
|
||
| [git-secrets](https://github.com/awslabs/git-secrets) and [talisman](https://github.com/thoughtworks/talisman) are similar tools, they are meant to be installed in local repositories as [pre-commit hooks](https://git-scm.com/book/en/v2/Customizing-Git-Git-Hooks). Every change will be checked before committed, pre-commit hooks will reject the commit if they detect a prospective commit may contain sensitive information. | ||
| [git-secrets](https://github.com/awslabs/git-secrets) 和 [talisman](https://github.com/thoughtworks/talisman) 是类似的工具,它们应作为[预提交的钩子](https://git-scm.com/book/en/v2/Customizing-Git-Git-Hooks)安装在本地代码库中。每次都会在提交之前对更改的内容进行检查,如果钩子检测到预期的提交内容可能包含敏感信息,那它们将会拒绝提交。 |
There was a problem hiding this comment.
pre-commit hooks 同样推荐不要翻译?
|
|
||
| ## Code review | ||
| ## 代码审查 |
|
|
||
| Most unintended changes can be found out during the code review stage. | ||
| 在代码检查阶段可以发现大多数意外更改。 |
|
|
||
| [Enabling branch restrictions](https://help.github.com/en/github/administering-a-repository/enabling-branch-restrictions) can enforce branch restrictions so that only certain users can push to a protected branch in repositories. Gitlab has a similar option. | ||
| [启用分支限制](https://help.github.com/en/github/administering-a-repository/enabling-branch-restrictions) 可以强制执行分支限制,以便只有部分用户才能推送到代码库中受保护的分支。 Gitlab 也有类似的选择。 |
|
|
||
| ```bash | ||
| $ echo "./config/password" >> .gitignore | ||
| $ git add .gitignore | ||
| $ git commit -m "Add password to .gitignore" | ||
| ``` | ||
|
|
||
| Then we push all branches to remote: | ||
| 然后我们将所有分支推送到远程: |
|
|
||
| ```bash | ||
| $ git push --force --all | ||
| $ git push --force --tags | ||
| ``` | ||
|
|
||
| Tell our collaborators to rebase: | ||
| 告诉我们的小伙伴进行基准调整: |
There was a problem hiding this comment.
rebase 不要翻译了,或者一般这个叫”变基“
Raoul1996
reviewed
Apr 15, 2020
|
|
||
| ```bash | ||
| $ git push --force --all | ||
| $ git push --force --tags | ||
| ``` | ||
|
|
||
| 告诉我们的小伙伴进行基准调整: | ||
| 告诉我们的小伙伴进行复位基底(rebase): |
There was a problem hiding this comment.
|
@fanyijihua 应该是校对完成了 |
lsvih
reviewed
Apr 20, 2020
|
|
||
|  | ||
|
|
||
| Countless developers are using Git for version control, but many don’t have enough knowledge about how Git works. Some people even use Git and Github as tools for backup files. This leads to information disclosure in Git repositories. [Thousands of new API or cryptographic keys leak via GitHub projects every day.](https://www.zdnet.com/article/over-100000-github-repos-have-leaked-api-or-cryptographic-keys/) | ||
| 无数的开发人员正在使用 Git 进行版本控制,但是许多开发人员对 Git 的工作方式并没有足够的了解。有些人甚至将 Git 和 Github 用作备份文件的工具。这些做法导致 Git 仓库中的信息遭到泄露。[每天都有数千个新的 API 或加密密钥从 GitHub 泄漏出去。](https://www.zdnet.com/article/over-100000-github-repos-have-leaked-api-or-cryptographic-keys/) |
There was a problem hiding this comment.
Suggested change
| 无数的开发人员正在使用 Git 进行版本控制,但是许多开发人员对 Git 的工作方式并没有足够的了解。有些人甚至将 Git 和 Github 用作备份文件的工具。这些做法导致 Git 仓库中的信息遭到泄露。[每天都有数千个新的 API 或加密密钥从 GitHub 泄漏出去。](https://www.zdnet.com/article/over-100000-github-repos-have-leaked-api-or-cryptographic-keys/) | |
| 无数的开发人员正在使用 Git 进行版本控制,但是许多开发人员对 Git 的工作方式并没有足够的了解。有些人甚至将 Git 和 Github 用作备份文件的工具。这些做法导致 Git 仓库中的信息遭到泄露,[每天都有数千个新的 API 或加密密钥从 GitHub 泄漏出去](https://www.zdnet.com/article/over-100000-github-repos-have-leaked-api-or-cryptographic-keys/)。 |
|
|
||
| I have been working in the field of information security for three years. About two years ago, our company had a severe security issue triggered by the information leak in a Git repository. | ||
| 我在信息安全领域工作了三年。 大约在两年前,我们公司发生了一起非常严重的安全问题,是由于 Git 仓库发生了信息泄露导致的。 |
There was a problem hiding this comment.
Suggested change
| 我在信息安全领域工作了三年。 大约在两年前,我们公司发生了一起非常严重的安全问题,是由于 Git 仓库发生了信息泄露导致的。 | |
| 我在信息安全领域工作了三年。大约在两年前,我们公司发生了一起非常严重的安全问题,是由于 Git 仓库发生了信息泄露导致的。 |
|
|
||
| [Enabling branch restrictions](https://help.github.com/en/github/administering-a-repository/enabling-branch-restrictions) can enforce branch restrictions so that only certain users can push to a protected branch in repositories. Gitlab has a similar option. | ||
| [启用分支限制](https://help.github.com/en/github/administering-a-repository/enabling-branch-restrictions) 可以强制执行分支限制,以便只有部分用户才能推送到代码库中受保护的分支。 Gitlab 也有类似的选择。 |
There was a problem hiding this comment.
Suggested change
| [启用分支限制](https://help.github.com/en/github/administering-a-repository/enabling-branch-restrictions) 可以强制执行分支限制,以便只有部分用户才能推送到代码库中受保护的分支。 Gitlab 也有类似的选择。 | |
| [启用分支限制](https://help.github.com/en/github/administering-a-repository/enabling-branch-restrictions) 可以强制执行分支限制,以便只有部分用户才能推送到代码库中受保护的分支。Gitlab 也有类似的选择。 |
|
@YueYongDev 抱歉,机器人挂了所以前几天没看到这篇文章状态的变化。提了几个标点上的问题,您修复一下吧,没别的问题啦 |
已更新 |
lsvih
approved these changes
Apr 20, 2020
|
@YueYongDev 已经 merge 啦~ 快快麻溜发布到掘金然后给我发下链接,方便及时添加积分哟。 掘金翻译计划有自己的知乎专栏,你也可以投稿哈,推荐使用一个好用的插件。 |
|
YueYongDev
deleted the
translation/5-best-practices-to-prevent-git-leaks.md
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
译文翻译完成,resolve #6895