From 516b24aa86909f7cac7d092936cbf35d07123ab1 Mon Sep 17 00:00:00 2001
From: shirly121 <zxlmillie@163.com>
Date: Thu, 22 Sep 2022 11:34:44 +0800
Subject: [PATCH] [Pre-commit Hook] add pre-commit hook to prevent committing
 sensitive information (#2055)

---
 .pre-commit-config.yaml |  5 ++++
 pre-commit/README.md    | 53 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 58 insertions(+)
 create mode 100644 .pre-commit-config.yaml
 create mode 100644 pre-commit/README.md

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 000000000000..40d3492aa903
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,5 @@
+repos:
+-   repo: https://github.com/awslabs/git-secrets.git
+    rev: master
+    hooks:
+    -   id: git-secrets
diff --git a/pre-commit/README.md b/pre-commit/README.md
new file mode 100644
index 000000000000..a3e1e3715bd8
--- /dev/null
+++ b/pre-commit/README.md
@@ -0,0 +1,53 @@
+# Pre-commit Hook Tool to Prevent Committing Sensitive Information
+
+This document guides you how to use pre-commit hook and git-secrets to prevent committing sensitive information to a git repository. Simply running `git commit` will trigger the verification of the git-added files.
+
+## Prerequisite
+
+The following dependencies or tools are required.
+
+- [pre-commit](https://pre-commit.com/#config-id)
+- [git-secrets](https://github.com/awslabs/git-secrets)
+
+For macos distributions, simply run `brew install`.
+
+```bash
+brew install pre-commit git-secrets
+```
+
+## Installation
+
+run in the current repo:
+
+```bash
+pre-commit install
+```
+
+## Configuration
+
+### Define Prohibited Patterns
+
+Adds prohibited patterns to the current repo (the added patterns are stored in .git/config):
+
+```bash
+# pattern of the ak value
+git secrets --add 'LTAI[A-Za-z0-9]+'
+
+git secrets --add '[aA][cC][cC][eE][sS][sS].?[iI][dD]\s*=\s*.+'
+git secrets --add '[aA][cC][cC][eE][sS][sS].?[kK][eE][yY]\s*=\s*.+'
+git secrets --add '[aA][cC][cC][eE][sS][sS].?[sS][eE][cC][rR][eE][tT]\s*=\s*.+'
+```
+
+### Ignoring False Positives
+
+Sometimes a regular expression might match false positives. For example, write one line code to setup access key from a outer confifuration file look a lot like the pattern of `[aA][cC][cC][eE][sS][sS]*[kK][eE][yY]\s*=\s*.+`. You can specify many different regular expression patterns as false positives using the following command:
+
+```bash
+git secrets --add --allowed --literal 'code line'
+```
+
+or skip current one-time false positive
+
+```bash
+git commit --no-verify ...
+```