There are many times when your project will contain some kind of data that you wouldn't want to end up in git - secrets, passwords, keys, etc. Committing secrets leads to insecure applications and the headache of rotating passwords.
awslabs has a great utility to prevent you from this aptly named
git-secrets. This project works by using a git hook that scans your repository for prohibited patterns on every commit. If something in your codebase matches a given pattern the commit is rejected.
» git commit -m "Add password" password.txt:1:password: ThisIsAPassword [ERROR] Matched one or more prohibited patterns
git-secrets has a lot of good information on installing it locally, but there were a few things I felt were missing. I found that my team was slow to adopt this and everyone ended up with a different configuration. Installing it manually for every repo was a chore that I had no intention of doing.
To fill these holes I made
git-secrets-installer, a small project that installs
git-secrets with some smart defaults in one line.
To fill the holes of
git-secrets, the installer does a few things for you:
git-secretson your machine
- Install hooks on all existing local git repositories
- Turn on automatic hook installation on future clones
- Create a default ruleset to match the following patterns:
(.*)password: (.*)password= (.*)secret: (.*)secret=
As promised in the title, installation and setup is just one line:
git clone https://github.com/ahatzz11/git-secrets-installer && cd git-secrets-installer && chmod +x install-git-secrets.sh && ./install-git-secrets.sh
Once installed you will have to restart your terminal. Verify everything worked by running:
git secrets --list --global
🎉 You are now protected from committing secrets! 🎉
Add a pattern to the ruleset:
git secrets --add --global $textToMatch
Add a pattern to the allowed list:
git secrets --add --allowed --global $allowedTextOrPattern
There are a few other pieces worth noting:
- The patterns that are matched above are case insensitive, so
PassWordwill both be caught.
- There are some default literals that are allowed, such as
cassandra. These are often used as default passwords for tests and other things and should never be used as real passwords because they are not very secure.
***REMOVED***is also an allowed literal, which comes from bfg when removing passwords.