Secure DevOps With GitHub

This guide provides instructions on how to set up Secure DevOps (SDO) with the Beyond Identity Authenticator. SDO provides a secure, scalable way for development and GitOps teams to immutably sign and verify the author of every commit, preventing unauthorized threats. In addition, you can also require any commits to be verified with biometrics to prevent local malware from committing code or developers from bypassing hygiene and security controls.

Secure DevOps is an add-on for Secure Workforce. Contact your Account Representative to add this feature to your environment.

Prerequisites

GitHub prerequisites

• A configured source code repository, project, and entitled users to pull, commit, and merge source code.

• (Optional) A configured CI/CD pipeline.

Beyond Identity prerequisites

• A Beyond Identity tenant configured for your organization and the ability to enroll users.

• An integration with your SSO provider. The instructions are different based on your SSO provider. Please refer to the integration guides available in the link below:
  https://supportcases.beyondidentity.com/hc/en-us/sections/6746815209111-Integration-Guides

• Any users who will sign the code must

  • Have a copy of the Beyond Identity authenticator installed.

  • Have enrolled a passkey with the tenant using the same email that will be used to sign the code.

Note the following:

• A Beyond Identity authenticator with GPG key entitlements can sign and verify code based on typical DevOps events like push, pull, etc. This is a powerful tool to ensure the security of the SDLC process. The event triggers the signature validation process as part of the CI/CD pipeline.

• A GPG key generated on the Beyond Identity Authenticator can be used to sign many repositories, but a repository can be signed with only one key.

Configure Beyond Identity for GitHub

This section describes the tasks required to configure the Beyond Identity authenticator for users with SDO enabled.

Generate a key management token

Your Beyond Identity Representative will provide you with a key management token. This token will be used in the CI/CD pipeline as the value of BYNDID_KEY_MGMT_API_TOKEN in later steps.

Get an authenticator entitlement

A Beyond Identity SME will enable the following entitlements for your tenant in the Support console so users can begin using their authenticator for commit signing.

• Commit Signing - Enables users to generate GPG keys and configure repository paths. Signs and verifies the author of every commit using the authenticator to prevent unauthorized threats.

• Commit Signing with Biometrics (optional) - Requires users to provide biometrics as part of signing and verifying commit signing to prevent local malware from committing code or developers from bypassing hygiene and security controls.

Add groups and users (BI Admin console)

Once the entitlements are enabled, add groups using the names in this section to generate GPG keys, configure repository paths, and optionally require biometrics for commit signing.  

Important: You must use the exact group name provided below for SDO to work.

1. Open the Groups page in the Admin console and click Add Group.

   1. Enter BI_SDO_GPG_Key_Creation for the group name.

      Important: You must use BI_SDO_GPG_Key_Creation as the exact name for Commit Signing to work.

   2. Enter an optional description and click Save Changes.

   3. Open the newly created group and then click Add Users to add any developers to this group.

2. Users added in the steps above will see a GPG Keys link in their authenticator as shown below.
   

3. Continue to the Generate a GPG Key and set a repository (Authenticator) section below for steps the development users will need to follow.

Generate a GPG Key and set a repository path (Authenticator)

1. On the Beyond Identity platform authenticator, click the GPG Keys link.

   

2. Click Create GPG key to create and configure GPG keys.

   

3. Ensure the email address matches the email configured to perform Git operations. You can ignore the expiration date.

4. Click Create. You should see the key in the Authenticator.
   

5. Set the repository path on the authenticator.

   1. In the authenticator, click the ellipses to the right of the GPG key and choose Set repository.
      

   2. Browse to the local path of the repository root and click Configure.
      

6. Continue to Configure GitHub below.

Configure GitHub

For more information about how to use GitHub, see Appendix: Get Started with GitHub

1. Create a GitHub account.

2. Sign in to the GitHub account with the same email that will be used to code sign/verify.

3. Set up a GitHub repository.
   

4. Navigate to Your Repository > Settings > Secrets and under Repository secrets, paste the parameter BYNDID_KEY_MGMT_API_TOKEN with the value provided to you in Generate a key management token.

5. Select your Repository, then click Settings > Secrets under repository secrets.
   

6. Create a workflow file in the .github/workflows directory of your repository.

   • .github/workflow/auth-commit-sig.yml

name: Authorize Commit Signing

on: 🡪Condition that triggers pipeline job verify signature with Beyond identity

pull_request:

   branches: [main]

jobs:

 verify-signature-with-Beyond-Identity:

   runs-on: ubuntu-latest

   steps:

     - name: Check out pull request

       uses: actions/checkout@v2

       with:

         # Critical: check out the head commit on the branch. By default,

         # actions/checkout will check out a merge commit built for the pull

         # request and signed by GitHub itself. Using the pull-request HEAD

         # allows the action to check the latest commit on the pull request,

         # which must be signed by an authorized user before it can be merged.

         ref: ${{ github.event.pull_request.head.sha }}

     - name: Authorize with Beyond Identity

       uses: gobeyondidentity/auth-commit-sig@v0

       with:

         api_token: ${{ secrets.BYNDID_KEY_MGMT_API_TOKEN }}

7. Clone the code to your local repository.

8. Change the code as required.

9. Commit with signing, similar to the following:

   git commit -S -v -m " Modified  README in signedcommit branch"

10. (Optional) If biometrics were enabled for signing, you will be prompted to provide biometric verification to complete the signing.

11. Push the code to Origin.

12. Access the GitHub repository using the browser to Open a Pull Request.

13. In the next screen, click on Merge pull request and Confirm merge. This will trigger the pipeline and the following will occur:

    • If Commit Signing with Biometrics is enabled, you will be prompted to use biometrics to sign the code.

    • The signature verification job should be completed successfully.

14. Verify successful completion

    • Access Your repository > Pull requests > Closed.

    • Click open the pipeline. You should see “verified” in Green.
      

Appendix: Get Started with GitHub

Github prerequisites

• Create an account.

  • Use the same email account that you will use to code sign/verify.

• Create a repository.

• Sign in with the same email account that you will use to code sign/verify.

• You should have privileges to clone, modify, and commit changes.

Create an account

• GitHub: https://docs.github.com/en/get-started/signing-up-for-github/signing-up-for-a-new-github-account

Create a repository

• GitHub: https://github.com/new

Start using Git

• Git Tutorial: https://www.atlassian.com/git/tutorials/learn-git-with-bitbucket-cloud