There are many times when your project will contain some kind of data that you wouldn't want to end up in git - secrets, passwords, keys, etc. Committing secrets leads to insecure applications and the headache of rotating passwords.
awslabs has a great utility to prevent you from this aptly named git-secrets. This project works by using a git hook that scans your repository for prohibited patterns on every commit. If something in your codebase matches a given pattern the commit is rejected.
ยป git commit -m "Add password"
password.txt:1:password: ThisIsAPassword
[ERROR] Matched one or more prohibited patterns
git-secrets has a lot of good information on installing it locally, but there were a few things I felt were missing. I found that my team was slow to adopt this and everyone ended up with a different configuration. Installing it manually for every repo was a chore that I had no intention of doing.
To fill these holes I made git-secrets-installer, a small project that installs git-secrets with some smart defaults in one line.
ahatzz11
/
git-secrets-installer
Easy setup for git-secrets
To fill the holes of git-secrets, the installer does a few things for you:
- Install
git-secretson your machine - Install hooks on all existing local git repositories
- Turn on automatic hook installation on future clones
- Create a default ruleset to match the following patterns:
(.*)password:
(.*)password=
(.*)secret:
(.*)secret=
Installing
As promised in the title, installation and setup is just one line:
git clone https://github.com/ahatzz11/git-secrets-installer && cd git-secrets-installer && chmod +x install-git-secrets.sh && ./install-git-secrets.sh
Once installed you will have to restart your terminal. Verify everything worked by running:
git secrets --list --global
๐ You are now protected from committing secrets! ๐
Useful commands
Add a pattern to the ruleset:
git secrets --add --global $textToMatch
Add a pattern to the allowed list:
git secrets --add --allowed --global $allowedTextOrPattern
More Details
There are a few other pieces worth noting:
- The patterns that are matched above are case insensitive, so
passwordandPassWordwill both be caught. - There are some default literals that are allowed, such as
1234567890andcassandra. These are often used as default passwords for tests and other things and should never be used as real passwords because they are not very secure. -
***REMOVED***is also an allowed literal, which comes from bfg when removing passwords.
Top comments (0)