-
Notifications
You must be signed in to change notification settings - Fork 5
Conversation
We installed this pre-commit hook to help prevent us from leaking production secrets, but the benefit hasn't outweighed the pain. I think we already solve this problem with good practices: 1. We don't share secrets between production and development/test envs. 2. We specify our production secrets in environment variables. So we've never been in the habit of committing real secrets to the repo. It seems strange that we'd slip up and do so now. Furthermore, as this is only a pre-commit hook, and not a pre-receive hook, it doesn't actually prevent someone from pushing a secret to GitHub! Since we have the same vulnerability whether have this hook or not, I don't think the potential gain (someone gets access to a production secret, hard-codes it, and then has that commit rejected before pushing it) is worth the effort (needing to keep the baseline and pragma comments up to date).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd be very happy to see this go. Hopefully others feel the same!
Yeah, I was up for this when we started out and were setting up a lot of things. Given the infrequency of the thing this was supposed to help with, and the amount of daily friction it adds. I think we could:
|
So I don't want to abandon safeguards, but I think we can do a bit more work to have ones that aren't so daily annoying... |
Yeah, it'd be good to have a bit of documentation on what sorts of secrets we have and how one could go about rotating them. |
We decided this was more trouble than it's worth, see #613
We installed this pre-commit hook to help prevent us from leaking
production secrets, but the benefit hasn't outweighed the pain. I
think we already solve this problem with good practices:
We don't share secrets between production and development/test
envs.
We specify our production secrets in environment variables.
So we've never been in the habit of committing real secrets to the
repo. It seems strange that we'd slip up and do so now.
Furthermore, as this is only a pre-commit hook, and not a pre-receive
hook, it doesn't actually prevent someone from pushing a secret to
GitHub! Since we have the same vulnerability whether have this hook
or not, I don't think the potential gain (someone gets access to a
production secret, hard-codes it, and then has that commit rejected
before pushing it) is worth the effort (needing to keep the baseline
and pragma comments up to date).
If this PR is accepted, I'll go through our other repos and remove it.