DevSecOps - Kubernetes DevOps & Security
DevSecOps Pipeline
Demo Talisman
In this lesson, you’ll see Talisman in action—installing it on a developer workstation, scanning for secrets before pushing, and configuring exceptions.
Talisman Repository
You can find the official Talisman project on GitHub. Explore the code, review open issues, or contribute back to the repository.
Refer to the project’s README for detailed installation and usage instructions.
Installing Talisman Locally
Prerequisites
- Git installed on your Linux or macOS system
curl(orwget) available in your PATH
Download and install Talisman as a Git hook in your project directory:
# Fetch and prepare the installer
curl https://thoughtworks.github.io/talisman/install.sh -o ~/install-talisman.sh
chmod +x ~/install-talisman.sh
cd /path/to/your-git-project
# Install as a pre-push hook (default)
~/install-talisman.sh
# Optionally install as a pre-commit hook
~/install-talisman.sh pre-commit
Note
The installer adds or updates hooks in .git/hooks. Ensure you have write permissions to the project directory before running the script.
Hook Types Comparison
| Hook Type | Purpose | Installation Command |
|---|---|---|
| pre-push | Scan code before running git push | ~/install-talisman.sh |
| pre-commit | Scan code before allowing git commit | ~/install-talisman.sh pre-commit |
Preparing the Demo Repository
On your VM, clone (or navigate to) the demo repository and pull the latest changes:
git clone https://github.com/your-org/devsecops-k8s-demo.git
cd devsecops-k8s-demo
git pull
ls -l
You should see:
JenkinsfileDockerfilek8s_deployment_service.yaml.gitfolder (containing thehooksdirectory)
Installing the Pre-Push Hook
Add Talisman to your demo repo:
~/install-talisman.sh
Verify the hook is in place:
ls .git/hooks | grep pre-push
# pre-push
# pre-push.sample
Testing Talisman Scans
Create a directory with sample files simulating secrets:
mkdir sec_files && cd sec_files
echo "username=siddharth" > file1
echo "secure-password123" > password.txt
echo "apikey=iz5yCqhjgrPtr_La56sdukjfav_laCqhjgrPtr_2s" > file2
echo "base64encodedsecret=cGFzc3dvcmx0aXMtcXdlcnR5MTIzCg==" > file3
cd ..
Stage and commit:
git add sec_files/
git commit -m "Add test secret files"
Attempt to push:
git push
Talisman will scan and block any push with detected secrets. Example output:
Talisman Scan: 12 / 12 <----- ERRORS -----------
FILE | ERRORS | SEVERITY
---------------------------+--------------------------------------------------+---------
sec_files/password.txt | failed checks against the pattern password | low
sec_files/file3 | contains base64 encoded strings | low
sec_files/file3 | potential secret pattern: base64encodedsecret=… | low
sec_files/file2 | potential secret pattern: apikey=iz5yCqhjgrPtr… | low
error: failed to push some refs to 'https://github.com/...'
Note
By default, Talisman checks for passwords, API keys, and Base64-encoded secrets. You can customize its behavior with a .talismanrc file if needed.
Ignoring Specific Files
To exempt certain files from scanning, create a .talismanrc in your project root:
fileignoreconfig:
- filename: sec_files/file3
checksum: b058bbb495454d508634e7d508163ad962c3ec699bc676db38a5
Then commit and push again:
git add .talismanrc
git commit -m "Ignore base64 file3 in Talisman scans"
git push
Talisman will now skip sec_files/file3 but still block other flagged content.
Cleaning Up and Final Push
Remove or refactor any remaining flagged files:
cd sec_files
rm password.txt file2
cd ..
git add -u
git commit -m "Remove sensitive files"
git push
With only approved files left, the final push should succeed.
By integrating Talisman as a pre-push (or pre-commit) hook, you ensure that sensitive data—passwords, API keys, and Base64-encoded tokens—are caught before they reach your remote repository.
Links and References
Watch Video
Watch video content
Practice Lab
Practice lab