CyberArk
Please note that CyberArk integration is currently in beta. If you want more info on this integration, check our blog post.
CyberArk, a leader in privileged access management, helps secure, manage, and monitor privileged accounts and credentials. The GitGuardian integration leverages CyberArk to securely manage secrets and automate secret rotation, enhancing security alongside GitGuardian's leak detection capabilities.
This integration involves open-source Go applications, Brimstone and Hailstone, developed by CyberArk and GitGuardian.
Use cases
- Receive events from GitGuardian when a secret is detected using Brimstone
- Known secrets are rotated with CyberArk Password Manager (CPM)
- New secrets are added to a Pending safe
- Syncing CyberArk accounts in Brimstone's database using Hailstone
- Test secrets in Brimstone's database against HasMySecretLeaked
Limitations
- It is not available for our Self Hosted users for now.
Requirements
Access
- CyberArk application user credentials with access to safes
- GitGuardian account with owner/manager privileges
Build application
- Clone the project
conjurdemos/cyberark-gitguardian-hmsl-remediation-integration-service
git clone https://github.com/conjurdemos/cyberark-gitguardian-hmsl-remediation-integration-service.git
- Move into the project folder
cd cyberark-gitguardian-hmsl-remediation-integration-service
- Build the applications using Make
make oapi-codegen
make build-brimstone build-hailstone -B
For Go version compatibility issues, follow instruction at https://go.dev/doc/manage-install to install go1.21.9 then in the Makefile update the line GO := $(shell command -v go 2> /dev/null) to GO := $(shell command -v go1.21.9 2> /dev/null)
- This produces two executables:
bin/brimstoneandbin/hailstone
Brimstone
Brimstone, a server application, handles GitGuardian events. It attempts to rotate known secrets in CyberArk or adds new secrets to a designated CyberArk safe.
The matching between secrets found by GitGuardian and accounts stored in CyberArk is done using the hashing method of HasMySecretLeaked. In Brimstone database, secrets are NOT saved, only hashes.
Setup integration
From GitGuardian Platform,
- Go to
Integrationsand scroll to theSecrets managersection - Click
Installnext to CyberArk - Choose a name, write the URL where Brimstone will be deployed and take note of the signature token
- Click
Submit
Environment Variables for Brimstone
The following environment variables are necessary for Brimstone
| Environment variable | Description | Example |
|---|---|---|
GG_API_TOKEN | GitGuardian API Token | abcdef123456789 |
GG_WEBHOOK_TOKEN | Signature token generated when setting up the integration | abcdef123456789 |
BRIMSTONE_API_KEY | API Key used to communicate with Brimstone, create/generate it | abcdefghijklmnopqrstuvwxyz |
DB_URL | Database URL used by Brimstone, support sqlite:// and postgres:// | sqlite://brimstone.sqlite |
ID_TENANT_URL | CyberArk Privileged Access Manager ID Tenant URL | https://abcdef123.id.cyberark.cloud |
PCLOUD_URL | CyberArk Privilege Cloud URL | https://example.privilegecloud.cyberark.cloud |
SAFE_NAME | CyberArk Safe Name, where new secrets are saved | PENDING |
PLATFORM_ID | CyberArk Platform used when creating new account | UnixSSH |
PAM_USER | CyberArk Application User name | username |
PAM_PASS | CyberArk Application User password | password |
Deployment
Deploy Brimstone as preferred. An example for Unix-bases system, is to create an .env file containing the environment variables and use the following command:
# Run Brimstone with the environment variable in .env
(env $(cat .env | sed 's/#.*//g' | xargs) bin/brimstone)
Interacting with HasMySecretLeaked
Use the /v1/hashes/sendhashes endpoint to send stored hashes to the HasMySecretLeaked, utilizing BRIMSTONE_API_KEY for authorization.
curl http://localhost:9191/v1/hashes/sendhashes -H "Authorization: Bearer $BRIMSTONE_API_KEY"
Hailstone
Hailstone, a CLI tool, syncs CyberArk accounts with Brimstone, ensuring Brimstone is aware of existing secrets.
Environment Variables for Hailstone
The following environment variables are necessary for Hailstone
| Environment variable | Description | Example |
|---|---|---|
BRIMSTONE_URL | URL of the Brimstone instance | http://127.0.0.1:9191 |
BRIMSTONE_API_KEY | Brimstone API key, same as above | abcdefghijklmnopqrstuvwxyz |
ID_TENANT_URL | CyberArk Privileged Access Manager ID Tenant URL | https://abcdef123.id.cyberark.cloud |
PCLOUD_URL | CyberArk Privilege Cloud URL | https://example.privilegecloud.cyberark.cloud |
SAFE_NAME | CyberArk Safe Name | PENDING |
PLATFORM_ID | CyberArk Platform used when creating new account | UnixSSH |
PAM_USER | CyberArk Application User name | username |
PAM_PASS | CyberArk Application User password | password |
Execution
On Unix-bases system, run Hailstone using the .env file approach, similar to Brimstone, to sync CyberArk accounts:
# Run Hailstone with the environment variable in .env
(env $(cat .env | sed 's/#.*//g' | xargs) bin/hailstone)
