From 0424767182ddc4d112af0101e16b61f800890af8 Mon Sep 17 00:00:00 2001 From: shirly121 Date: Wed, 21 Sep 2022 15:49:08 +0800 Subject: [PATCH] [Pre-commit Hook] add pre-commit hook to prevent committing sensitive information --- .pre-commit-config.yaml | 5 ++++ pre-commit/README.md | 53 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 .pre-commit-config.yaml create mode 100644 pre-commit/README.md diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 000000000000..40d3492aa903 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,5 @@ +repos: +- repo: https://github.com/awslabs/git-secrets.git + rev: master + hooks: + - id: git-secrets diff --git a/pre-commit/README.md b/pre-commit/README.md new file mode 100644 index 000000000000..a3e1e3715bd8 --- /dev/null +++ b/pre-commit/README.md @@ -0,0 +1,53 @@ +# Pre-commit Hook Tool to Prevent Committing Sensitive Information + +This document guides you how to use pre-commit hook and git-secrets to prevent committing sensitive information to a git repository. Simply running `git commit` will trigger the verification of the git-added files. + +## Prerequisite + +The following dependencies or tools are required. + +- [pre-commit](https://pre-commit.com/#config-id) +- [git-secrets](https://github.com/awslabs/git-secrets) + +For macos distributions, simply run `brew install`. + +```bash +brew install pre-commit git-secrets +``` + +## Installation + +run in the current repo: + +```bash +pre-commit install +``` + +## Configuration + +### Define Prohibited Patterns + +Adds prohibited patterns to the current repo (the added patterns are stored in .git/config): + +```bash +# pattern of the ak value +git secrets --add 'LTAI[A-Za-z0-9]+' + +git secrets --add '[aA][cC][cC][eE][sS][sS].?[iI][dD]\s*=\s*.+' +git secrets --add '[aA][cC][cC][eE][sS][sS].?[kK][eE][yY]\s*=\s*.+' +git secrets --add '[aA][cC][cC][eE][sS][sS].?[sS][eE][cC][rR][eE][tT]\s*=\s*.+' +``` + +### Ignoring False Positives + +Sometimes a regular expression might match false positives. For example, write one line code to setup access key from a outer confifuration file look a lot like the pattern of `[aA][cC][cC][eE][sS][sS]*[kK][eE][yY]\s*=\s*.+`. You can specify many different regular expression patterns as false positives using the following command: + +```bash +git secrets --add --allowed --literal 'code line' +``` + +or skip current one-time false positive + +```bash +git commit --no-verify ... +```