Protecting yourself from committing secrets in one line

Alex Hatzenbuhler — Fri, 08 Nov 2019 01:08:40 +0000

There are many times when your project will contain some kind of data that you wouldn't want to end up in git - secrets, passwords, keys, etc. Committing secrets leads to insecure applications and the headache of rotating passwords.

awslabs has a great utility to prevent you from this aptly named git-secrets. This project works by using a git hook that scans your repository for prohibited patterns on every commit. If something in your codebase matches a given pattern the commit is rejected.

» git commit -m "Add password"
password.txt:1:password: ThisIsAPassword

[ERROR] Matched one or more prohibited patterns

git-secrets has a lot of good information on installing it locally, but there were a few things I felt were missing. I found that my team was slow to adopt this and everyone ended up with a different configuration. Installing it manually for every repo was a chore that I had no intention of doing.

To fill these holes I made git-secrets-installer, a small project that installs git-secrets with some smart defaults in one line.

ahatzz11 / git-secrets-installer

Easy setup for git-secrets

To fill the holes of git-secrets, the installer does a few things for you:

Install git-secrets on your machine
Install hooks on all existing local git repositories
Turn on automatic hook installation on future clones
Create a default ruleset to match the following patterns:

(.*)password:
(.*)password=
(.*)secret:
(.*)secret=

Installing

As promised in the title, installation and setup is just one line:

git clone https://github.com/ahatzz11/git-secrets-installer && cd git-secrets-installer && chmod +x install-git-secrets.sh && ./install-git-secrets.sh

Once installed you will have to restart your terminal. Verify everything worked by running:

git secrets --list --global

🎉 You are now protected from committing secrets! 🎉

Useful commands

Add a pattern to the ruleset:

git secrets --add --global $textToMatch

Add a pattern to the allowed list:

git secrets --add --allowed --global $allowedTextOrPattern

More Details

There are a few other pieces worth noting:

The patterns that are matched above are case insensitive, so password and PassWord will both be caught.
There are some default literals that are allowed, such as 1234567890 and cassandra. These are often used as default passwords for tests and other things and should never be used as real passwords because they are not very secure.
***REMOVED*** is also an allowed literal, which comes from bfg when removing passwords.