-
Notifications
You must be signed in to change notification settings - Fork 430
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Pre-commit Hook] add pre-commit hook to prevent committing sensitive…
… information (#2055)
- Loading branch information
Showing
2 changed files
with
58 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
repos: | ||
- repo: https://github.com/awslabs/git-secrets.git | ||
rev: master | ||
hooks: | ||
- id: git-secrets |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
# Pre-commit Hook Tool to Prevent Committing Sensitive Information | ||
|
||
This document guides you how to use pre-commit hook and git-secrets to prevent committing sensitive information to a git repository. Simply running `git commit` will trigger the verification of the git-added files. | ||
|
||
## Prerequisite | ||
|
||
The following dependencies or tools are required. | ||
|
||
- [pre-commit](https://pre-commit.com/#config-id) | ||
- [git-secrets](https://github.com/awslabs/git-secrets) | ||
|
||
For macos distributions, simply run `brew install`. | ||
|
||
```bash | ||
brew install pre-commit git-secrets | ||
``` | ||
|
||
## Installation | ||
|
||
run in the current repo: | ||
|
||
```bash | ||
pre-commit install | ||
``` | ||
|
||
## Configuration | ||
|
||
### Define Prohibited Patterns | ||
|
||
Adds prohibited patterns to the current repo (the added patterns are stored in .git/config): | ||
|
||
```bash | ||
# pattern of the ak value | ||
git secrets --add 'LTAI[A-Za-z0-9]+' | ||
|
||
git secrets --add '[aA][cC][cC][eE][sS][sS].?[iI][dD]\s*=\s*.+' | ||
git secrets --add '[aA][cC][cC][eE][sS][sS].?[kK][eE][yY]\s*=\s*.+' | ||
git secrets --add '[aA][cC][cC][eE][sS][sS].?[sS][eE][cC][rR][eE][tT]\s*=\s*.+' | ||
``` | ||
|
||
### Ignoring False Positives | ||
|
||
Sometimes a regular expression might match false positives. For example, write one line code to setup access key from a outer confifuration file look a lot like the pattern of `[aA][cC][cC][eE][sS][sS]*[kK][eE][yY]\s*=\s*.+`. You can specify many different regular expression patterns as false positives using the following command: | ||
|
||
```bash | ||
git secrets --add --allowed --literal 'code line' | ||
``` | ||
|
||
or skip current one-time false positive | ||
|
||
```bash | ||
git commit --no-verify ... | ||
``` |