-
Notifications
You must be signed in to change notification settings - Fork 0
How to set up git secrets
Original repository: https://github.com/awslabs/git-secrets
Git secrets is a tool that helps prevent passwords and secrets from being committed on accident. If you can't commit them, then you can't push them. When you try to commit a file with a password in it, it will throw an error and show you the line that triggered the error.
In order to set up
- run
brew install git-secrets
from the command line - cd into ethicli directory
git secrets --install
- Add all the patterns for it to look for by running these commands
git secrets --add '\bprivate_key.*\b'
git secrets --add 'withUser\("\S*"\)'
git secrets --add 'password\("\{noop\}\S*"\)'
git secrets --add 'mongodb\+srv:\/\/\S*:\S*@cluster0.krjxc.gcp.mongodb.net'
git secrets --add 'authString\s=\s\"\S*:\S*"'
git secrets --add 'spring.mail.password=\S*'
git secrets --add 'http://localhost:8080'
git secrets --add --allowed --literal 'withUser\("<username>"\)'
git secrets --add --allowed --literal 'password\("\{noop\}<password>"\)'
git secrets --add --allowed --literal 'withUser\("<admin-username>"\)'
git secrets --add --allowed --literal 'password\("\{noop\}<admin-password>"\)'
git secrets --add --allowed --literal 'mongodb\+srv://user:<password>@cluster0\.krjxc\.gcp\.mongodb\.net'
git secrets --add --allowed --literal 'authString\s=\s"<username>:<password>"'
git secrets --add --allowed --literal 'spring\.mail\.password=<password>'
In order to add new patterns in the future, use a tool like https://regex101.com/ to test the regex you make against the actual string you want to match for. Also test it in a new branch to make sure it is matching exclusively to what you want.
This tool does not provide an interface for removing or deleting entries, so in order to do that you have to manually edit the file ethicli/.git/config
You'll find the entries in this format:
[secrets]
patterns = \\bprivate_key.*\\b
patterns = withUser\\(\"\\S*\"\\)
allowed = withUser\\(\"<username>\"\\)
allowed = password\\(\"\\{noop\\}<password>\"\\)
P.S. There is a way to add and read from a file that lists patterns. This would be advantageous because then it could be committed to the repository and shared, reducing setup and maintenance. It doesn't seem like it supports allowed patterns though.