DEV Community

Alex Hatzenbuhler
Alex Hatzenbuhler

Posted on

Protecting yourself from committing secrets in one line

There are many times when your project will contain some kind of data that you wouldn't want to end up in git - secrets, passwords, keys, etc. Committing secrets leads to insecure applications and the headache of rotating passwords.

awslabs has a great utility to prevent you from this aptly named git-secrets. This project works by using a git hook that scans your repository for prohibited patterns on every commit. If something in your codebase matches a given pattern the commit is rejected.

Β» git commit -m "Add password"
password.txt:1:password: ThisIsAPassword

[ERROR] Matched one or more prohibited patterns
Enter fullscreen mode Exit fullscreen mode

git-secrets has a lot of good information on installing it locally, but there were a few things I felt were missing. I found that my team was slow to adopt this and everyone ended up with a different configuration. Installing it manually for every repo was a chore that I had no intention of doing.

To fill these holes I made git-secrets-installer, a small project that installs git-secrets with some smart defaults in one line.

GitHub logo ahatzz11 / git-secrets-installer

Easy setup for git-secrets

To fill the holes of git-secrets, the installer does a few things for you:

  • Install git-secrets on your machine
  • Install hooks on all existing local git repositories
  • Turn on automatic hook installation on future clones
  • Create a default ruleset to match the following patterns:
Enter fullscreen mode Exit fullscreen mode


As promised in the title, installation and setup is just one line:

git clone && cd git-secrets-installer && chmod +x && ./
Enter fullscreen mode Exit fullscreen mode

Once installed you will have to restart your terminal. Verify everything worked by running:

git secrets --list --global
Enter fullscreen mode Exit fullscreen mode

πŸŽ‰ You are now protected from committing secrets! πŸŽ‰

Useful commands

Add a pattern to the ruleset:

git secrets --add --global $textToMatch
Enter fullscreen mode Exit fullscreen mode

Add a pattern to the allowed list:

git secrets --add --allowed --global $allowedTextOrPattern
Enter fullscreen mode Exit fullscreen mode

More Details

There are a few other pieces worth noting:

  • The patterns that are matched above are case insensitive, so password and PassWord will both be caught.
  • There are some default literals that are allowed, such as 1234567890 and cassandra. These are often used as default passwords for tests and other things and should never be used as real passwords because they are not very secure.
  • ***REMOVED*** is also an allowed literal, which comes from bfg when removing passwords.

Top comments (0)