How do you add a pattern that begins with '-'?

[bknowles]

So, I'm trying to add a pattern that looks like this:

-----BEGIN RSA PRIVATE KEY-----

However, I keep getting the following error, regardless of the options I provide:

$ git secrets --add --literal --global '-----BEGIN RSA PRIVATE KEY-----'
error: unknown option `---BEGIN RSA PRIVATE KEY-----'
usage: git secrets --scan [-r|--recursive] [--cached] [--no-index] [--untracked] [<files>...]
   or: git secrets --scan-history
   or: git secrets --install [-f|--force] [<target-directory>]
   or: git secrets --list [--global]
   or: git secrets --add [-a|--allowed] [-l|--literal] [--global] <pattern>
   or: git secrets --add-provider [--global] <command> [arguments...]
   or: git secrets --register-aws [--global]
   or: git secrets --aws-provider [<credentials-file>]

    --scan                Scans <files> for prohibited patterns
    --scan-history        Scans repo for prohibited patterns
    --install             Installs git hooks for Git repository or Git template directory
    --list                Lists secret patterns
    --add                 Adds a prohibited or allowed pattern, ensuring to de-dupe with existing patterns
    --add-provider        Adds a secret provider that when called outputs secret patterns on new lines
    --aws-provider        Secret provider that outputs credentials found in an ini file
    --register-aws        Adds common AWS patterns to the git config and scans for ~/.aws/credentials
    -r, --recursive       --scan scans directories recursively
    --cached              --scan scans searches blobs registered in the index file
    --no-index            --scan searches files in the current directory that is not managed by Git
    --untracked           In addition to searching in the tracked files in the working tree, --scan also in untracked files
    -f, --force           --install overwrites hooks if the hook already exists
    -l, --literal         --add and --add-allowed patterns are escaped so that they are literal
    -a, --allowed         --add adds an allowed pattern instead of a prohibited pattern
    --global              Uses the --global git config

[bknowles]

Any suggestions how we can add new prohibited patterns where the string begins with dashes?

[ghost]

Tried prefixing your pattern with -- (dash dash space)? This will cause the grep to treat is as a pattern not an arg.

[Rob-Conan]

I wasn't able to fix this issue directly but I added the following patterns to my ~/.gitconfig file which has achieved the desired result for me

patterns = BEGIN\\s*CERTIFICATE
patterns = BEGIN\\s*RSA\\s*PRIVATE\\s*KEY

[beekeep]

I was running into a similar issue and was able to use the following pattern:

git secrets --add --global '(-){5}(BEGIN RSA PRIVATE KEY)(-){5}'