All it takes is for one developer on your team to forget to .gitignore their .env file or remove a hardcoded environment variable they used in development for sensitive data to leak to source control. In the modern era where bad actors use bots to monitor repositories on GitHub, leaking environment variables can be a fatal mistake.
In this article, I introduce a CLI tool that your team can use to scan your existing codebase for any leaked environment variables instantly. It can scan your existing commit, past commits, and be configured as a pre-commit hook to prevent developers from committing any unintended secrets to source control. By the end, you should be able to detect leaked environment variables in your codebase and set up a pre-commit hook to automatically scan for leaks and prevent committing them to source control.
Why should I care?
It's important for developers to know the best practices for managing environment variables - to be more precise, managing secrets that is sensitive data like, for example, an API key that we wouldn't want bad actors to get ahold of.
Perhaps the first step to better managing secrets is to adopt the tooling necessary to prevent leaking secrets to begin with.
What's the tooling?
While there are numerous CLI tools that you can use to detect secrets in your codebase, I'm going to be using the Infisical CLI in this article because it's simple and has synergies with Infisical, a popular open-source secret management stack that can also be used to store your environment variables.
The CLI itself is free to use, and the Infisical platform itself can also be self-hosted on your own infrastructure as well.
Installation
To begin, you need to install the Infisical CLI onto your machine.
MacOS (using brew):
brew install infisical/get-cli/infisical
Windows (using scoop):
scoop bucket add org https://github.com/Infisical/scoop-infisical.git
scoop install infisical
Arch Linux (using yay):
yay -S infisical-bin
Check out the documentation for more installation options like Redhat/CentOS/Amazon and Debian/Ubuntu if your system is missing above.
Great! You're now ready to detect secrets in your codebase.
Scanning a directory, file, or full Git history for secrets.
The scan command can be run in a directory to detect any secrets within it; it looks out for 140+ secret types like potential API keys etc.
# scan your codebase for secrets
infisical scan
# display the full secret findings
infisical scan --verbose
infisical scan simply prints how many leaks were found across your commits.
11:13AM INF scanning for exposed secrets...
11:13AM INF 932 commits scanned.
11:13AM INF scan completed in 2.23s
11:13AM WRN leaks found: 32
Meanwhile, infisical scan --verbose prints fuller details for each secret such as what was leaked, who leaked it, and where it can be found.
Finding: JWT_SECRET=138817529bf4c73772243214896b168df91d3501d56757dbcbeda31d3da7acad
Secret: 138817529bf4c73772243214896b168df91d3501d56757dbcbeda31d3da7acad
RuleID: generic-api-key
Entropy: 3.593139
File: .env.example
Line: 7
Commit: 622ed0d1b294bd31bd771eb40115d337
Author: John Doe
Email: johndoe@gmail.com
Date: 2022-12-24T19:21:21Z
Fingerprint: 622ed0d1b294bd31bd771eb40115d337:.env.example:generic-api-key:7
Scanning uncommitted files
Scanning your entire git history is nice but what if you only wanted to scan your uncommitted files while developing?
No worries, the infisical scan git-changes subcommand has you covered.
# scan your uncommitted files
infisical scan git-changes
# display the full secret findings for the uncommitted files
infisical git-changes --verbose
Setting up automatic scanning before each commit
While scanning your codebase for leaked secrets manually works, the best teams have pre-commit hooks set up that automatically detect any leaked secrets before allowing you to commit any code. This one-time setup makes it impossible for developers to forget to manually run the scan command before each commit and, in doing so, enforces that committed code is clear of leaking any secrets.
To install the git hook, run the following command in your local git repository.
infisical scan install --pre-commit-hook
That's it! You now know how to detect secrets in your codebase and prevent leaks from happening.
That said, I'd encourage you to check out the full documentation for more information and advanced options on using the CLI for secret scanning. It includes how to configure the scan to ignore select secrets or even those matching a pattern.
Conclusion
Leaking secrets can happen to the best of us, and this risk scales with the size of a team; the more engineers you have onboard, the higher the risk of one developer accidentally introducing a new secret and accidentally committing it to source control.
However, there are practices that you and your team can enforce to prevent secrets leaks from happening and using a CLI to detect secrets in your codebase is one such practice. With minimal effort, you can set up a pre-commit hook that automatically scans for leaked secrets and prevents developers from committing code before removing that secret or acknowledging it as intentional.
Top comments (0)