Skip to content

How to set up git secrets

Jump to bottom
Billy T. Hernandez edited this page Dec 15, 2020 · 3 revisions

Original repository: https://github.com/awslabs/git-secrets

Git secrets is a tool that helps prevent passwords and secrets from being committed on accident. If you can't commit them, then you can't push them. When you try to commit a file with a password in it, it will throw an error and show you the line that triggered the error.

In order to set up

  1. run brew install git-secrets from the command line
  2. cd into ethicli directory
  3. git secrets --install
  4. Add all the patterns for it to look for by running these commands
git secrets --add '\bprivate_key.*\b'
git secrets --add 'withUser\("\S*"\)'
git secrets --add 'password\("\{noop\}\S*"\)'
git secrets --add 'mongodb\+srv:\/\/\S*:\S*@cluster0.krjxc.gcp.mongodb.net'
git secrets --add 'authString\s=\s\"\S*:\S*"'
git secrets --add 'spring.mail.password=\S*'
git secrets --add 'http://localhost:8080'
git secrets --add --allowed --literal 'withUser\("<username>"\)'
git secrets --add --allowed --literal 'password\("\{noop\}<password>"\)'
git secrets --add --allowed --literal 'withUser\("<admin-username>"\)'
git secrets --add --allowed --literal 'password\("\{noop\}<admin-password>"\)'
git secrets --add --allowed --literal 'mongodb\+srv://user:<password>@cluster0\.krjxc\.gcp\.mongodb\.net'
git secrets --add --allowed --literal 'authString\s=\s"<username>:<password>"'
git secrets --add --allowed --literal 'spring\.mail\.password=<password>'

In order to add new patterns in the future, use a tool like https://regex101.com/ to test the regex you make against the actual string you want to match for. Also test it in a new branch to make sure it is matching exclusively to what you want.

This tool does not provide an interface for removing or deleting entries, so in order to do that you have to manually edit the file ethicli/.git/config You'll find the entries in this format:

[secrets]
	patterns = \\bprivate_key.*\\b
	patterns = withUser\\(\"\\S*\"\\)
	allowed = withUser\\(\"<username>\"\\)
	allowed = password\\(\"\\{noop\\}<password>\"\\)

P.S. There is a way to add and read from a file that lists patterns. This would be advantageous because then it could be committed to the repository and shared, reducing setup and maintenance. It doesn't seem like it supports allowed patterns though.

Clone this wiki locally