Git module to prevent from committing sensitive information into the repository.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore
.travis.yml
LICENSE
README.rst
check.go
config.go
gitseekret.go
glide.lock
glide.yaml
hook_pre-commit.go
main.go
main_check.go
main_config.go
main_hook.go
main_rules.go

README.rst

Build Status

git-seekret

Git module to prevent from committing sensitive information into the repository.

Description

git-seekret inspect on commits and/or staged (and uncommited yet) files, to prevent adding sensitive information into the git repository. It can be easily integrated with git hooks, forcing it to analise all staged files before they are included into a commit.

Installing git-seekret

It's important to have the following tools and libraries to make it work properly:

  • glide
  • pkg-config
  • golang >= 1.6
  • libgit >= 2.24

git-seekret uses Glide to maintain its dependencies.

Follow the instructions for installing Glide: https://github.com/Masterminds/glide#install

glide install
go build

This builds a binary git-seekret. Currently, there is no cross platform way to install git-seekret (e.g. Install via Brew for OS X). To make the binary widely available to the user, you need to copy it to the system's bin folder.

cp ./git-seekret /usr/local/bin

Usage

General Options:

NAME:
   git-seekret - prevent from committing sensitive information into git repository

USAGE:
   git-seekret [global options] command [command options] [arguments...]

VERSION:
   0.0.1

AUTHOR(S):
   Albert Puigsech Galicia <albert@puigsech.com>

COMMANDS:
     config   manage configuration seetings
     rules    manage rules
     check    inspect git repository
     hook     manage git hooks
     help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --global
   --help, -h     show help
   --version, -v  print the version

--global

Rules and Exceptions

The definition of rules and exceptions for git-seekret are defined by the `seekret go library. Proper documentation for this library can be found here:

https://github.com/apuigsech/seekret

Once you download the secrets, you will need to set your SEEKRET_RULES_PATH environment variable to point to the location of the rules. This is needed because by default, the seekret library will look for the rules in $GOPATH/src/github.com/apuigsech/seekret/rules.

Hands-On

The repository seekret-secrets is prepare to test ``git-seekret`, and can be used to perform the following hands-on examples:

$ git clone https://github.com/apuigsech/seekret-secrets

$ cd seekret-secrets

$ git seekret config --init
Config:
        version = 1
        rulespath = /Users/apuigsech/Develop//.go/src/github.com/apuigsech/seekret/rules
        rulesenabled =
        exceptionsfile =

$ git seekret rules
List of rules:
        [ ] aws.secret_key
        [ ] aws.access_key
        [ ] certs.rsa
        [ ] certs.generic
        [ ] certs.pgp
        [ ] password.pass
        [ ] password.cred
        [ ] password.password
        [ ] password.pwd
        [ ] unix.passwd

$ git seekret rules --enable password.password
List of rules:
        [ ] aws.secret_key
        [ ] aws.access_key
        [ ] certs.generic
        [ ] certs.pgp
        [ ] certs.rsa
        [x] password.password
        [ ] password.pwd
        [ ] password.pass
        [ ] password.cred
        [ ] unix.passwd

$ git seekret check -c 1   # Check on last commit.
Found Secrets: 9
        secret_6:2
                - Metadata:
                  commit: 442d574a5e233d9cec7d245f7c85177cd1a827e4
                  uniq-id: e4ac21ceef17fff49d2f0d1fdd46f0abe7d0f62c
                - Rule:
                  password.password
                - Content:
                  password = 's3cr3t'
        secret_8:5
                - Metadata:
                  uniq-id: 373978394eb25268890ebee17966024300f3997b
                  commit: 442d574a5e233d9cec7d245f7c85177cd1a827e4
                - Rule:
                  password.password
                - Content:
                  password = 'thisISnotSECRET'

        ...

$ git seekret check -s     # Check on staged files.
Found Secrets: 0

$ echo "password = 'this is super secret'" > new_file

$ git add new_file

$ git seekret check -s
Found Secrets: 1
        new_file:1
                - Metadata:
                  status: test
                - Rule:
                  password.password
                - Content:
                  password = 'this is super secret'