Configuring Git

Overview

FossID scans can be created from a git repository using the Workbench API.

For private repositories, git should be used only with SSH protocol, and this requires configuring the ssh keys.

Creating the SSH keys

Use ssh-keygen to generate the SSH keys:

ssh-keygen

Provide the path where you want to store the key file and do not provide any passwords. The command above will generate two files:

• a private key file (the default is named id_rsa)
• a public key file (id_rsa.pub)

Add the public key file to your repository. This is usually in account settings on Gitlab, Github, or Bitbucket.

Use ssh-keyscan to add the repository server to the known_hosts:

ssh-keyscan github.com >> known_hosts

Note: The ssh-keygen and ssh-keyscan are tools that should be provided by your operating system.

Configuring the user account the Workbench uses to connect using the specified key

3.1.1 In the /var/www (on Debian) directory or in /usr/share/httpd/.ssh (on RHEL), create a new folder .ssh and a file named config in it.

3.1.2 Move the previousy created private key file into the newly created .ssh folder.

3.1.3 Add the following in the config file created in the step 3.1.1 (change the host name and the path to the identity file accordingly):

Host github.com
 HostName github.com
 IdentityFile /var/www/.ssh/id_rsa_github

3.1.4 Move the previously created known_hosts file into the .ssh folder

3.1.5 Make sure all the files in the folder are accessible by the www-data (or apache, depends on your web server configuration) user:

chmod 600 *
chown www-data:www-data *

3.1.6 After the steps above, the /var/www/.ssh folder (or /usr/share/httpd/.ssh) should look similar to this:

user@test:/var/www/.ssh$ ls -la
total 20
drwxr-xr-x 2 root     root     4096 Jan 18 13:04 .
drwxr-xr-x 4 root     root     4096 Jan 18 13:03 ..
-rw------- 1 www-data www-data   78 Jan 18 13:04 config
-rw------- 1 www-data www-data 1823 Jan 18 13:04 id_rsa
-rw------- 1 www-data www-data  392 Jan 18 13:04 known_hosts

3.1.7 Verify that everything works by creating a new scan from the git repository using the API functions create and download_data_from_git from the scans group.

Using personal access tokens to authenticate against Git over HTTP

You can also use personal access tokens (PAT) to authenticate against Git over HTTP by including the access token in Git repository URL parameter:

https://<pat>@github.com/<your account or organization>/<repo>.git

The downside of this solution is that the token is saved in plain text and visible to any user having access to that scan.