intermediate_git_presentation.Rmd

---
title: "Intermediate Git and Github: Security"
subtitle: "An Introduction"
author: "Jenny Leopoldina Smith"
institute: "Fred Hutchinson Cancer Research Center"
date: "`r Sys.Date()`"
output:
  xaringan::moon_reader:
    lib_dir: libs
    nature:
      highlightStyle: github
      highlightLines: true
      countIncrementalSlides: false
---



name: intro

# Introduction

- I will be discussing some a very **general overview** of security when using Git and Github

--

.pull-left[
- This is not an exhaustive list 
  - The  goal is only to spread awareness of security issues
  
  - *Security practices change over time*
  
  - Be sure to periodically check around Github's blogs, or software you use (an example would be Docker containers or cloud services), or a friendly co-worker, occasionally to discuss 
]

.pull-right[
![my_image](https://github.blog/wp-content/uploads/2020/08/security-default.png?w=1200)
]

---

# Protect Against Secrets in Git Repositories

- This is an overview of the "best practices" highlighted in a post by the computational biologist Sean Davis<sup>1,2</sup>, but its relevant to everyone.

--

- In this example, the author using github included their secret key for AWS directly into code + committed the change in a local repo. 
--

  - The key was used to access AWS and use resources the author was paying for! 

--

- To be proactive - check out [`git-secrets`](https://github.com/awslabs/git-secrets) to secure your passwords and sensitive information! 

<!-- From the blog: re-phrase for presentation I deleted the GitHub repo and did some local checking and, in retrospect, realized my mistake. Git had dutifully saved the entire history of my project including a version of one file with AWS keys in it. Upon pushing to GitHub, the keys were there in the history. I breathed a sigh of relief that no harm had been done. --> 

```{r echo=FALSE,fig.show='asis', out.height="40%", out.width="40%",fig.align='right'}
knitr::include_graphics('https://i.ytimg.com/vi/4fZKJ90GVHg/mqdefault.jpg')
```

--

.footnote[
[1] [Sean Davis, post on Medium](https://medium.com/@seandavis12/protect-against-secrets-in-git-repositories-a531038fac7e)

[2] [Sean Davis, post on Personal Blog](https://seandavi.github.io/post/protect-against-secrets-in-git-repositories/)

[3] Image credit: [github blog](https://github.blog/2021-01-11-github-security-features-highlights-from-2020/)
]


---

name: git-secrets-cont1

# git-secrets

- The code snippet is directly from the blog post.

  - If you use a Mac, installation is easy with `homebrew`

--

- To try it out, you can make toy git repo to test the functionality.

````markdown
`r ''````{bash}
# create an example git repo
mkdir secrets_example  #<<
cd secrets_example  #<<
git init  #<<
# now "install" the git-secrets hook
git secrets --install  #<<
```
````

---

name: git-secrets-cont2

# git-secrets

- once installed, list any secrects detected in your environment with `git secrets --list`

- Then add a simple example password to git-secrets configuration
  - Try to commit a file containing your password

--

````markdown
`r ''````{bash}
git secrets --add 'MyPASSWORD[0-9]+' #<<
echo 'MyPASSWORD123' >> test.file 
git add test.file #<<
git commit -m 'test file with password' #<<
```
````

- the output: `[ERROR] Matched one or more prohibited patterns`
.footnote[
Additional Info:  [best practices for AWS keys](http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html)
]
---
background-image: url(https://usethis.r-lib.org/logo.png)
background-position: right top

# R package: `usethis` for Guidance 

.pull-left[
- The package `usethis` provides a fantastic overview of getting started with git and github for beginner to advanced users. 
]

.pull-right[

]
--

- The [vignette](https://usethis.r-lib.org/articles/articles/usethis-setup.html) covers the following concepts:

--
  - How to get a free GitHub.com account and install Git.
--

  - Configure your Git user.name and user.email
--

  - Reviews how RStudio can find your Git executable
--

  - Reviews how you can pull/push from your local computer to GitHub.com, in general and from RStudio
--

  - Reviews how to get a personal access token (PAT) from GitHub.com and make it available in R sessions
--

---

# R package: `usethis` for Guidance

- To begin, install the package and configure your .Rprofile and git.

````markdown
`r ''````{r tidy=TRUE}
library(usethis) 
usethis::edit_r_profile() #Set HTTPS for github protocol
use_git_config(user.name = "Jane Doe", 
               user.email = "jane@example.com")
```
````

--

- Some useful functions from `usethis` for use with github are:
  1.  `create_project()`
  2.  `use_git()` and `use_github()`
  3.  `git_vaccinate()`
  4.  `git_sitrep()`
  5.  `gh_token_help()`

--

> `git_vaccinate()` Adds .DS_Store, .Rproj.user, .Rdata, .Rhistory, and .httr-oauth to your global (a.k.a. user-level) .gitignore. This is good practice as it decreases the chance that you will accidentally leak credentials to GitHub.

---

background-image: url(https://usethis.r-lib.org/logo.png)
background-position: bottom center


# R package: `usethis` for Guidance

- To enable git and github, you will have to configure your PAT (personal access token)
  - It might seem overwhelming, but getting and setting up your PAT can be done! 

- Again, there is a [full article](https://usethis.r-lib.org/articles/articles/usethis-setup.html) from `usethis` covering the topic: "Managing Git(Hub) Credentials".

---

# Setting up Git Credentials

1) MacOS and Linux to [store credentials](https://docs.github.com/en/get-started/getting-started-with-git/caching-your-github-credentials-in-git) for GitHub over HTTPS
  -  Installatipn of a credenial manager `brew install --cask git-credential-manager-core`
  - "The next time you clone an HTTPS URL that requires authentication, Git will prompt you to log in using a browser window."
  
--

2) Another useful follow-up function is `usethis::gh_token_help()` which can provide helpful prompts! 

````markdown
• GitHub host: 'https://github.com'
• Host online: TRUE
• Personal access token for 'https://github.com': '<discovered>'
ℹ Call `gh::gh_whoami()` to see info about your token, e.g. the associated user
ℹ To see or update the token, call `gitcreds::gitcreds_set()`
✓ If those results are OK, you are good go to!
ℹ Read more in the 'Managing Git(Hub) Credentials' article:
  https://usethis.r-lib.org/articles/articles/git-credentials.html
````


---
background-image: url("images/tweet_example.png")
background-position: top right
background-size: 40% 80%

# Mistakes Happen 

.pull-left[
- Remember security is a community issue, and its always evolving. 
]
.pull-right[

]
--

- For example, the vignette from `usethis` has changed significantly over the last few years from storing your `.Renviron` file. 
> This means we can stop storing GitHub PATs in plain text in a startup file, like .Renviron 4. This, in turn, reduces the risk of accidentally leaking your credentials.

--

- Leaks can and will happen. 
  - And there are active pushes to address these, with [secret scanning](https://github.blog/2021-01-11-github-security-features-highlights-from-2020/) enabled in github repos

--

  - As recently as mid-September 2021,`travis-ci` leaked nearly all users keys, passwords, and other sensitive information. 

---


name: end
class: center middle
# Thanks!

Please feel free to contact me: *JennyL.Smith12 [at] gmail.com*
  
.footnote[
    [1] Slides created with the R package [**xaringan**](https://github.com/yihui/xaringan).
]