-
Notifications
You must be signed in to change notification settings - Fork 1.2k
/
git-secrets.1
843 lines (841 loc) · 20.9 KB
/
git-secrets.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
.\" Man page generated from reStructuredText.
.
.TH GIT-SECRETS "" "" ""
.SH NAME
git-secrets \- Prevents you from committing passwords and other sensitive information to a git repository.
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.SS Contents
.INDENT 0.0
.IP \(bu 2
\fI\%Synopsis\fP
.IP \(bu 2
\fI\%Description\fP
.IP \(bu 2
\fI\%Installing git\-secrets\fP
.INDENT 2.0
.IP \(bu 2
\fI\%*nix (Linux/macOS)\fP
.IP \(bu 2
\fI\%Windows\fP
.IP \(bu 2
\fI\%Homebrew (for macOS users)\fP
.UNINDENT
.IP \(bu 2
\fI\%Advanced configuration\fP
.IP \(bu 2
\fI\%Before making public a repository\fP
.IP \(bu 2
\fI\%Options\fP
.INDENT 2.0
.IP \(bu 2
\fI\%Operation Modes\fP
.IP \(bu 2
\fI\%Options for \fB\-\-install\fP\fP
.IP \(bu 2
\fI\%Options for \fB\-\-scan\fP\fP
.IP \(bu 2
\fI\%Options for \fB\-\-list\fP\fP
.IP \(bu 2
\fI\%Options for \fB\-\-add\fP\fP
.IP \(bu 2
\fI\%Options for \fB\-\-register\-aws\fP\fP
.IP \(bu 2
\fI\%Options for \fB\-\-aws\-provider\fP\fP
.IP \(bu 2
\fI\%Options for \fB\-\-add\-provider\fP\fP
.UNINDENT
.IP \(bu 2
\fI\%Defining prohibited patterns\fP
.IP \(bu 2
\fI\%Ignoring false positives\fP
.IP \(bu 2
\fI\%Secret providers\fP
.IP \(bu 2
\fI\%Example walkthrough\fP
.IP \(bu 2
\fI\%Skipping validation\fP
.IP \(bu 2
\fI\%About\fP
.UNINDENT
.SH SYNOPSIS
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-scan [\-r|\-\-recursive] [\-\-cached] [\-\-no\-index] [\-\-untracked] [<files>...]
git secrets \-\-scan\-history
git secrets \-\-install [\-f|\-\-force] [<target\-directory>]
git secrets \-\-list [\-\-global]
git secrets \-\-add [\-a|\-\-allowed] [\-l|\-\-literal] [\-\-global] <pattern>
git secrets \-\-add\-provider [\-\-global] <command> [arguments...]
git secrets \-\-register\-aws [\-\-global]
git secrets \-\-aws\-provider [<credentials\-file>]
.ft P
.fi
.UNINDENT
.UNINDENT
.SH DESCRIPTION
.sp
\fBgit\-secrets\fP scans commits, commit messages, and \fB\-\-no\-ff\fP merges to
prevent adding secrets into your git repositories. If a commit,
commit message, or any commit in a \fB\-\-no\-ff\fP merge history matches one of
your configured prohibited regular expression patterns, then the commit is
rejected.
.SH INSTALLING GIT-SECRETS
.sp
\fBgit\-secrets\fP must be placed somewhere in your PATH so that it is picked up
by \fBgit\fP when running \fBgit secrets\fP\&.
.SS *nix (Linux/macOS)
.IP "System Message: WARNING/2 (README.rst:, line 43)"
Title underline too short.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
\e*nix (Linux/macOS)
~~~~~~~~~~~~~~~~~
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
You can use the \fBinstall\fP target of the provided Makefile to install \fBgit secrets\fP and the man page.
You can customize the install path using the PREFIX and MANPREFIX variables.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
make install
.ft P
.fi
.UNINDENT
.UNINDENT
.SS Windows
.sp
Run the provided \fBinstall.ps1\fP powershell script. This will copy the needed files
to an installation directory (\fB%USERPROFILE%/.git\-secrets\fP by default) and add
the directory to the current user \fBPATH\fP\&.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
PS > ./install.ps1
.ft P
.fi
.UNINDENT
.UNINDENT
.SS Homebrew (for macOS users)
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
brew install git\-secrets
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
\fBWARNING:\fP
.INDENT 0.0
.INDENT 3.5
You\(aqre not done yet! You MUST install the git hooks for every repo that
you wish to use with \fBgit secrets \-\-install\fP\&.
.UNINDENT
.UNINDENT
.sp
Here\(aqs a quick example of how to ensure a git repository is scanned for secrets
on each commit:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
cd /path/to/my/repo
git secrets \-\-install
git secrets \-\-register\-aws
.ft P
.fi
.UNINDENT
.UNINDENT
.SH ADVANCED CONFIGURATION
.sp
Add a configuration template if you want to add hooks to all repositories you
initialize or clone in the future.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-register\-aws \-\-global
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Add hooks to all your local repositories.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-install ~/.git\-templates/git\-secrets
git config \-\-global init.templateDir ~/.git\-templates/git\-secrets
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Add custom providers to scan for security credentials.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-add\-provider \-\- cat /path/to/secret/file/patterns
.ft P
.fi
.UNINDENT
.UNINDENT
.SH BEFORE MAKING PUBLIC A REPOSITORY
.sp
With git\-secrets is also possible to scan a repository including all revisions:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-scan\-history
.ft P
.fi
.UNINDENT
.UNINDENT
.SH OPTIONS
.SS Operation Modes
.sp
Each of these options must appear first on the command line.
.INDENT 0.0
.TP
.B \fB\-\-install\fP
Installs git hooks for a repository. Once the hooks are installed for a git
repository, commits and non\-fast\-forward merges for that repository will be prevented
from committing secrets.
.TP
.B \fB\-\-scan\fP
Scans one or more files for secrets. When a file contains a secret, the
matched text from the file being scanned will be written to stdout and the
script will exit with a non\-zero status. Each matched line will be written with
the name of the file that matched, a colon, the line number that matched,
a colon, and then the line of text that matched. If no files are provided,
all files returned by \fBgit ls\-files\fP are scanned.
.TP
.B \fB\-\-scan\-history\fP
Scans repository including all revisions. When a file contains a secret, the
matched text from the file being scanned will be written to stdout and the
script will exit with a non\-zero status. Each matched line will be written with
the name of the file that matched, a colon, the line number that matched,
a colon, and then the line of text that matched.
.TP
.B \fB\-\-list\fP
Lists the \fBgit\-secrets\fP configuration for the current repo or in the global
git config.
.TP
.B \fB\-\-add\fP
Adds a prohibited or allowed pattern.
.TP
.B \fB\-\-add\-provider\fP
Registers a secret provider. Secret providers are executables that when
invoked output prohibited patterns that \fBgit\-secrets\fP should treat as
prohibited.
.TP
.B \fB\-\-register\-aws\fP
Adds common AWS patterns to the git config and ensures that keys present
in \fB~/.aws/credentials\fP are not found in any commit. The following
checks are added:
.INDENT 7.0
.IP \(bu 2
AWS Access Key IDs via \fB(A3T[A\-Z0\-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A\-Z0\-9]{16}\fP
.IP \(bu 2
AWS Secret Access Key assignments via ":" or "=" surrounded by optional
quotes
.IP \(bu 2
AWS account ID assignments via ":" or "=" surrounded by optional quotes
.IP \(bu 2
Allowed patterns for example AWS keys (\fBAKIAIOSFODNN7EXAMPLE\fP and
\fBwJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\fP)
.IP \(bu 2
Known credentials from \fB~/.aws/credentials\fP
.UNINDENT
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
While the patterns registered by this command should catch most
instances of AWS credentials, these patterns are \fBnot\fP guaranteed to
catch them \fBall\fP\&. \fBgit\-secrets\fP should be used as an extra means of
insurance \-\- you still need to do your due diligence to ensure that you
do not commit credentials to a repository.
.UNINDENT
.UNINDENT
.TP
.B \fB\-\-aws\-provider\fP
Secret provider that outputs credentials found in an INI file. You can
optionally provide the path to an INI file.
.UNINDENT
.SS Options for \fB\-\-install\fP
.INDENT 0.0
.TP
.B \fB\-f, \-\-force\fP
Overwrites existing hooks if present.
.TP
.B \fB<target\-directory>\fP
When provided, installs git hooks to the given directory. The current
directory is assumed if \fB<target\-directory>\fP is not provided.
.sp
If the provided \fB<target\-directory>\fP is not in a git repository, the
directory will be created and hooks will be placed in
\fB<target\-directory>/hooks\fP\&. This can be useful for creating git template
directories using with \fBgit init \-\-template <target\-directory>\fP\&.
.sp
You can run \fBgit init\fP on a repository that has already been initialized.
From the \fI\%git init documentation\fP:
.INDENT 7.0
.INDENT 3.5
From the git documentation: Running \fBgit init\fP in an existing repository
is safe. It will not overwrite things that are already there. The
primary reason for rerunning \fBgit init\fP is to pick up newly added
templates (or to move the repository to another place if
\fB\-\-separate\-git\-dir\fP is given).
.UNINDENT
.UNINDENT
.sp
The following git hooks are installed:
.INDENT 7.0
.IP 1. 3
\fBpre\-commit\fP: Used to check if any of the files changed in the commit
use prohibited patterns.
.IP 2. 3
\fBcommit\-msg\fP: Used to determine if a commit message contains a
prohibited patterns.
.IP 3. 3
\fBprepare\-commit\-msg\fP: Used to determine if a merge commit will
introduce a history that contains a prohibited pattern at any point.
Please note that this hook is only invoked for non fast\-forward merges.
.UNINDENT
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
Git only allows a single script to be executed per hook. If the
repository contains Debian\-style subdirectories like \fBpre\-commit.d\fP
and \fBcommit\-msg.d\fP, then the git hooks will be installed into these
directories, which assumes that you\(aqve configured the corresponding
hooks to execute all of the scripts found in these directories. If
these git subdirectories are not present, then the git hooks will be
installed to the git repo\(aqs \fB\&.git/hooks\fP directory.
.UNINDENT
.UNINDENT
.UNINDENT
.SS Examples
.sp
Install git hooks to the current directory:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
cd /path/to/my/repository
git secrets \-\-install
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Install git hooks to a repository other than the current directory:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-install /path/to/my/repository
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Create a git template that has \fBgit\-secrets\fP installed, and then copy that
template into a git repository:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-install ~/.git\-templates/git\-secrets
git init \-\-template ~/.git\-templates/git\-secrets
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Overwrite existing hooks if present:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-install \-f
.ft P
.fi
.UNINDENT
.UNINDENT
.SS Options for \fB\-\-scan\fP
.INDENT 0.0
.TP
.B \fB\-r, \-\-recursive\fP
Scans the given files recursively. If a directory is encountered, the
directory will be scanned. If \fB\-r\fP is not provided, directories will be
ignored.
.sp
\fB\-r\fP cannot be used alongside \fB\-\-cached\fP, \fB\-\-no\-index\fP, or
\fB\-\-untracked\fP\&.
.TP
.B \fB\-\-cached\fP
Searches blobs registered in the index file.
.TP
.B \fB\-\-no\-index\fP
Searches files in the current directory that is not managed by git.
.TP
.B \fB\-\-untracked\fP
In addition to searching in the tracked files in the working tree,
\fB\-\-scan\fP also in untracked files.
.TP
.B \fB<files>...\fP
The path to one or more files on disk to scan for secrets.
.sp
If no files are provided, all files returned by \fBgit ls\-files\fP are
scanned.
.UNINDENT
.SS Examples
.sp
Scan all files in the repo:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-scan
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Scans a single file for secrets:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-scan /path/to/file
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Scans a directory recursively for secrets:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-scan \-r /path/to/directory
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Scans multiple files for secrets:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-scan /path/to/file /path/to/other/file
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
You can scan by globbing:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-scan /path/to/directory/*
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Scan from stdin:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
echo \(aqhello!\(aq | git secrets \-\-scan \-
.ft P
.fi
.UNINDENT
.UNINDENT
.SS Options for \fB\-\-list\fP
.INDENT 0.0
.TP
.B \fB\-\-global\fP
Lists only git\-secrets configuration in the global git config.
.UNINDENT
.SS Options for \fB\-\-add\fP
.INDENT 0.0
.TP
.B \fB\-\-global\fP
Adds patterns to the global git config
.TP
.B \fB\-l, \-\-literal\fP
Escapes special regular expression characters in the provided pattern so
that the pattern is searched for literally.
.TP
.B \fB\-a, \-\-allowed\fP
Mark the pattern as allowed instead of prohibited. Allowed patterns are
used to filter out false positives.
.TP
.B \fB<pattern>\fP
The regex pattern to search.
.UNINDENT
.SS Examples
.sp
Adds a prohibited pattern to the current repo:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-add \(aq[A\-Z0\-9]{20}\(aq
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Adds a prohibited pattern to the global git config:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-add \-\-global \(aq[A\-Z0\-9]{20}\(aq
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Adds a string that is scanned for literally (\fB+\fP is escaped):
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-add \-\-literal \(aqfoo+bar\(aq
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Add an allowed pattern:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-add \-a \(aqallowed pattern\(aq
.ft P
.fi
.UNINDENT
.UNINDENT
.SS Options for \fB\-\-register\-aws\fP
.INDENT 0.0
.TP
.B \fB\-\-global\fP
Adds AWS specific configuration variables to the global git config.
.UNINDENT
.SS Options for \fB\-\-aws\-provider\fP
.INDENT 0.0
.TP
.B \fB[<credentials\-file>]\fP
If provided, specifies the custom path to an INI file to scan. If not
provided, \fB~/.aws/credentials\fP is assumed.
.UNINDENT
.SS Options for \fB\-\-add\-provider\fP
.INDENT 0.0
.TP
.B \fB\-\-global\fP
Adds the provider to the global git config.
.TP
.B \fB<command>\fP
Provider command to invoke. When invoked the command is expected to write
prohibited patterns separated by new lines to stdout. Any extra arguments
provided are passed on to the command.
.UNINDENT
.SS Examples
.sp
Registers a secret provider with arguments:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-add\-provider \-\- git secrets \-\-aws\-provider
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Cats secrets out of a file:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-add\-provider \-\- cat /path/to/secret/file/patterns
.ft P
.fi
.UNINDENT
.UNINDENT
.SH DEFINING PROHIBITED PATTERNS
.sp
\fBegrep\fP\-compatible regular expressions are used to determine if a commit or
commit message contains any prohibited patterns. These regular expressions are
defined using the \fBgit config\fP command. It is important to note that
different systems use different versions of egrep. For example, when running on
macOS, you will use a different version of \fBegrep\fP than when running on something
like Ubuntu (BSD vs GNU).
.sp
You can add prohibited regular expression patterns to your git config using
\fBgit secrets \-\-add <pattern>\fP\&.
.SH IGNORING FALSE POSITIVES
.sp
Sometimes a regular expression might match false positives. For example, git
commit SHAs look a lot like AWS access keys. You can specify many different
regular expression patterns as false positives using the following command:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-add \-\-allowed \(aqmy regex pattern\(aq
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
You can also add regular expressions patterns to filter false positives to a
\fB\&.gitallowed\fP file located in the repository\(aqs root directory. Lines starting
with \fB#\fP are skipped (comment line) and empty lines are also skipped.
.sp
First, git\-secrets will extract all lines from a file that contain a prohibited
match. Included in the matched results will be the full path to the name of
the file that was matched, followed by \(aq:\(aq, followed by the line number that was
matched, followed by the entire line from the file that was matched by a secret
pattern. Then, if you\(aqve defined allowed regular expressions, git\-secrets will
check to see if all of the matched lines match at least one of your registered
allowed regular expressions. If all of the lines that were flagged as secret
are canceled out by an allowed match, then the subject text does not contain
any secrets. If any of the matched lines are not matched by an allowed regular
expression, then git\-secrets will fail the commit/merge/message.
.sp
\fBIMPORTANT:\fP
.INDENT 0.0
.INDENT 3.5
Just as it is a bad practice to add prohibited patterns that are too
greedy, it is also a bad practice to add allowed patterns that are too
forgiving. Be sure to test out your patterns using ad\-hoc calls to
\fBgit secrets \-\-scan $filename\fP to ensure they are working as intended.
.UNINDENT
.UNINDENT
.SH SECRET PROVIDERS
.sp
Sometimes you want to check for an exact pattern match against a set of known
secrets. For example, you might want to ensure that no credentials present in
\fB~/.aws/credentials\fP ever show up in a commit. In these cases, it\(aqs better to
leave these secrets in one location rather than spread them out across git
repositories in git configs. You can use "secret providers" to fetch these
types of credentials. A secret provider is an executable that when invoked
outputs prohibited patterns separated by new lines.
.sp
You can add secret providers using the \fB\-\-add\-provider\fP command:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-add\-provider \-\- git secrets \-\-aws\-provider
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Notice the use of \fB\-\-\fP\&. This ensures that any arguments associated with the
provider are passed to the provider each time it is invoked when scanning
for secrets.
.SH EXAMPLE WALKTHROUGH
.sp
Let\(aqs take a look at an example. Given the following subject text (stored in
\fB/tmp/example\fP):
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
This is a test!
password=ex@mplepassword
password=******
More test...
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
And the following registered patterns:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-add \(aqpassword\es*=\es*.+\(aq
git secrets \-\-add \-\-allowed \-\-literal \(aqex@mplepassword\(aq
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Running \fBgit secrets \-\-scan /tmp/example\fP, the result will
result in the following error output:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
/tmp/example:3:password=******
[ERROR] Matched prohibited pattern
Possible mitigations:
\- Mark false positives as allowed using: git config \-\-add secrets.allowed ...
\- List your configured patterns: git config \-\-get\-all secrets.patterns
\- List your configured allowed patterns: git config \-\-get\-all secrets.allowed
\- Use \-\-no\-verify if this is a one\-time false positive
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Breaking this down, the prohibited pattern value of \fBpassword\es*=\es*.+\fP will
match the following lines:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
/tmp/example:2:password=ex@mplepassword
/tmp/example:3:password=******
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
\&...But the first match will be filtered out due to the fact that it matches the
allowed regular expression of \fBex@mplepassword\fP\&. Because there is still a
remaining line that did not match, it is considered a secret.
.sp
Because that matching lines are placed on lines that start with the filename
and line number (e.g., \fB/tmp/example:3:...\fP), you can create allowed
patterns that take filenames and line numbers into account in the regular
expression. For example, you could whitelist an entire file using something
like:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-add \-\-allowed \(aq/tmp/example:.*\(aq
git secrets \-\-scan /tmp/example && echo $?
# Outputs: 0
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Alternatively, you could allow a specific line number of a file if that
line is unlikely to change using something like the following:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git secrets \-\-add \-\-allowed \(aq/tmp/example:3:.*\(aq
git secrets \-\-scan /tmp/example && echo $?
# Outputs: 0
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Keep this in mind when creating allowed patterns to ensure that your allowed
patterns are not inadvertently matched due to the fact that the filename is
included in the subject text that allowed patterns are matched against.
.SH SKIPPING VALIDATION
.sp
Use the \fB\-\-no\-verify\fP option in the event of a false positive match in a
commit, merge, or commit message. This will skip the execution of the
git hook and allow you to make the commit or merge.
.SH ABOUT
.INDENT 0.0
.IP \(bu 2
Author: \fI\%Michael Dowling\fP
.IP \(bu 2
Issue tracker: This project\(aqs source code and issue tracker can be found at
\fI\%https://github.com/awslabs/git\-secrets\fP
.IP \(bu 2
Special thanks to Adrian Vatchinsky and Ari Juels of Cornell University for
providing suggestions and feedback.
.UNINDENT
.sp
Copyright 2015 Amazon.com, Inc. or its affiliates. All Rights Reserved.
.\" Generated by docutils manpage writer.
.