Codebase list git-secrets / d084d2c
Update upstream source from tag 'upstream/1.3.0' Update to upstream version '1.3.0' with Debian dir 0bbbc98faaf7c26b0eb8d180ac01be2002f23ae4 Francois Marier 5 years ago
6 changed file(s) with 200 addition(s) and 41 deletion(s). Raw diff Collapse all Expand all
+10
-0
.gitattributes less more
0 # Set the default behavior, in case people don't have core.autocrlf set.
1 * text=auto
2
3 # Force the bash scripts to be checked out with LF line endings.
4 git-secrets text eol=lf
5 git-secrets.1 text eol=lf
6 test/bats/bin/* text eol=lf
7 test/bats/libexec/* text eol=lf
8 *.bats text eol=lf
9 *.bash text eol=lf
+6
-0
.github/PULL_REQUEST_TEMPLATE.md less more
0 *Issue #, if available:*
1
2 *Description of changes:*
3
4
5 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+11
-0
CHANGELOG.md less more
00 # CHANGELOG
1
2 ## 1.3.0 - 2019-02-10
3
4 * Empty provider output is now excluded
5 (https://github.com/awslabs/git-secrets/issues/34)
6 * Spaces are now supported in git exec path, making more Windows
7 paths execute properly.
8 * Patterns with newlines and carriage returns are now loaded properly.
9 * Patterns that contain only "\n" are now ignored.
10 * Various Bash 4 fixes (https://github.com/awslabs/git-secrets/issues/66).
11 * Make IAM key scanning much more targeted.
112
213 ## 1.2.1 - 2016-06-27
314
+1
-1
Makefile less more
88
99 # We use bats for testing: https://github.com/sstephenson/bats
1010 test:
11 test/bats/bin/bats test/
11 LANG=C test/bats/bin/bats test/
1212
1313 # The man page is completely derived from README.rst. Edits to
1414 # README.rst require a rebuild of the man page.
+4
-3
README.rst less more
11 git-secrets
22 ===========
33
4 Prevents you from committing passwords and other sensitive information to a
5 git repository.
4 -------------------------------------------------------------------------------------------
5 Prevents you from committing passwords and other sensitive information to a git repository.
6 -------------------------------------------------------------------------------------------
67
78 .. contents:: :depth: 2
89
517518 # Outputs: 0
518519
519520 Keep this in mind when creating allowed patterns to ensure that your allowed
520 patterns are not inadvertantly matched due to the fact that the filename is
521 patterns are not inadvertently matched due to the fact that the filename is
521522 included in the subject text that allowed patterns are matched against.
522523
523524
+168
-37
git-secrets.1 less more
11 .
22 .TH GIT-SECRETS "" "" ""
33 .SH NAME
4 git-secrets \-
4 git-secrets \- Prevents you from committing passwords and other sensitive information to a git repository.
55 .
66 .nr rst2man-indent-level 0
77 .
2929 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
3030 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
3131 ..
32 .sp
33 Prevents you from committing passwords and other sensitive information to a
34 git repository.
32 .SS Contents
33 .INDENT 0.0
34 .IP \(bu 2
35 \fI\%Synopsis\fP
36 .IP \(bu 2
37 \fI\%Description\fP
38 .IP \(bu 2
39 \fI\%Installing git\-secrets\fP
40 .INDENT 2.0
41 .IP \(bu 2
42 \fI\%*nix (Linux/macOS)\fP
43 .IP \(bu 2
44 \fI\%Windows\fP
45 .IP \(bu 2
46 \fI\%Homebrew (for macOS users)\fP
47 .UNINDENT
48 .IP \(bu 2
49 \fI\%Advanced configuration\fP
50 .IP \(bu 2
51 \fI\%Before making public a repository\fP
52 .IP \(bu 2
53 \fI\%Options\fP
54 .INDENT 2.0
55 .IP \(bu 2
56 \fI\%Operation Modes\fP
57 .IP \(bu 2
58 \fI\%Options for \fB\-\-install\fP\fP
59 .IP \(bu 2
60 \fI\%Options for \fB\-\-scan\fP\fP
61 .IP \(bu 2
62 \fI\%Options for \fB\-\-list\fP\fP
63 .IP \(bu 2
64 \fI\%Options for \fB\-\-add\fP\fP
65 .IP \(bu 2
66 \fI\%Options for \fB\-\-register\-aws\fP\fP
67 .IP \(bu 2
68 \fI\%Options for \fB\-\-aws\-provider\fP\fP
69 .IP \(bu 2
70 \fI\%Options for \fB\-\-add\-provider\fP\fP
71 .UNINDENT
72 .IP \(bu 2
73 \fI\%Defining prohibited patterns\fP
74 .IP \(bu 2
75 \fI\%Ignoring false positives\fP
76 .IP \(bu 2
77 \fI\%Secret providers\fP
78 .IP \(bu 2
79 \fI\%Example walkthrough\fP
80 .IP \(bu 2
81 \fI\%Skipping validation\fP
82 .IP \(bu 2
83 \fI\%About\fP
84 .UNINDENT
3585 .SH SYNOPSIS
3686 .INDENT 0.0
3787 .INDENT 3.5
57107 commit message, or any commit in a \fB\-\-no\-ff\fP merge history matches one of
58108 your configured prohibited regular expression patterns, then the commit is
59109 rejected.
60 .SS Installing git\-secrets
110 .SH INSTALLING GIT-SECRETS
61111 .sp
62112 \fBgit\-secrets\fP must be placed somewhere in your PATH so that it is picked up
63 by \fBgit\fP when running \fBgit secrets\fP\&. You can use \fBinstall\fP target of the
64 provided Makefile to install \fBgit secrets\fP and the man page. You can
65 customize the install path using the PREFIX and MANPREFIX variables.
113 by \fBgit\fP when running \fBgit secrets\fP\&.
114 .SS *nix (Linux/macOS)
115 .IP "System Message: WARNING/2 (README.rst:, line 43)"
116 Title underline too short.
117 .INDENT 0.0
118 .INDENT 3.5
119 .sp
120 .nf
121 .ft C
122 \e*nix (Linux/macOS)
123 ~~~~~~~~~~~~~~~~~
124 .ft P
125 .fi
126 .UNINDENT
127 .UNINDENT
128 .sp
129 You can use the \fBinstall\fP target of the provided Makefile to install \fBgit secrets\fP and the man page.
130 You can customize the install path using the PREFIX and MANPREFIX variables.
66131 .INDENT 0.0
67132 .INDENT 3.5
68133 .sp
73138 .fi
74139 .UNINDENT
75140 .UNINDENT
76 .sp
77 Or, installing with Homebrew (for OS X users).
141 .SS Windows
142 .sp
143 Run the provided \fBinstall.ps1\fP powershell script. This will copy the needed files
144 to an installation directory (\fB%USERPROFILE%/.git\-secrets\fP by default) and add
145 the directory to the current user \fBPATH\fP\&.
146 .INDENT 0.0
147 .INDENT 3.5
148 .sp
149 .nf
150 .ft C
151 PS > ./install.ps1
152 .ft P
153 .fi
154 .UNINDENT
155 .UNINDENT
156 .SS Homebrew (for macOS users)
78157 .INDENT 0.0
79158 .INDENT 3.5
80159 .sp
108187 .fi
109188 .UNINDENT
110189 .UNINDENT
190 .SH ADVANCED CONFIGURATION
191 .sp
192 Add a configuration template if you want to add hooks to all repositories you
193 initialize or clone in the future.
194 .INDENT 0.0
195 .INDENT 3.5
196 .sp
197 .nf
198 .ft C
199 git secrets \-\-register\-aws \-\-global
200 .ft P
201 .fi
202 .UNINDENT
203 .UNINDENT
204 .sp
205 Add hooks to all your local repositories.
206 .INDENT 0.0
207 .INDENT 3.5
208 .sp
209 .nf
210 .ft C
211 git secrets \-\-install ~/.git\-templates/git\-secrets
212 git config \-\-global init.templateDir ~/.git\-templates/git\-secrets
213 .ft P
214 .fi
215 .UNINDENT
216 .UNINDENT
217 .sp
218 Add custom providers to scan for security credentials.
219 .INDENT 0.0
220 .INDENT 3.5
221 .sp
222 .nf
223 .ft C
224 git secrets \-\-add\-provider \-\- cat /path/to/secret/file/patterns
225 .ft P
226 .fi
227 .UNINDENT
228 .UNINDENT
229 .SH BEFORE MAKING PUBLIC A REPOSITORY
230 .sp
231 With git\-secrets is also possible to scan a repository including all revisions:
232 .INDENT 0.0
233 .INDENT 3.5
234 .sp
235 .nf
236 .ft C
237 git secrets \-\-scan\-history
238 .ft P
239 .fi
240 .UNINDENT
241 .UNINDENT
111242 .SH OPTIONS
112243 .SS Operation Modes
113244 .sp
115246 .INDENT 0.0
116247 .TP
117248 .B \fB\-\-install\fP
118 Installs hooks for a repository. Once the hooks are installed for a git
119 repository, commits and non\-ff merges for that repository will be prevented
249 Installs git hooks for a repository. Once the hooks are installed for a git
250 repository, commits and non\-fast\-forward merges for that repository will be prevented
120251 from committing secrets.
121252 .TP
122253 .B \fB\-\-scan\fP
123254 Scans one or more files for secrets. When a file contains a secret, the
124255 matched text from the file being scanned will be written to stdout and the
125 script will exit with a non\-zero RC. Each matched line will be written with
256 script will exit with a non\-zero status. Each matched line will be written with
126257 the name of the file that matched, a colon, the line number that matched,
127258 a colon, and then the line of text that matched. If no files are provided,
128259 all files returned by \fBgit ls\-files\fP are scanned.
130261 .B \fB\-\-scan\-history\fP
131262 Scans repository including all revisions. When a file contains a secret, the
132263 matched text from the file being scanned will be written to stdout and the
133 script will exit with a non\-zero RC. Each matched line will be written with
264 script will exit with a non\-zero status. Each matched line will be written with
134265 the name of the file that matched, a colon, the line number that matched,
135266 a colon, and then the line of text that matched.
136267 .TP
137268 .B \fB\-\-list\fP
138 Lists the git\-secrets configuration for the current repo or in the global
269 Lists the \fBgit\-secrets\fP configuration for the current repo or in the global
139270 git config.
140271 .TP
141272 .B \fB\-\-add\fP
143274 .TP
144275 .B \fB\-\-add\-provider\fP
145276 Registers a secret provider. Secret providers are executables that when
146 invoked outputs prohibited patterns that \fBgit\-secrets\fP should treat as
277 invoked output prohibited patterns that \fBgit\-secrets\fP should treat as
147278 prohibited.
148279 .TP
149280 .B \fB\-\-register\-aws\fP
152283 checks are added:
153284 .INDENT 7.0
154285 .IP \(bu 2
155 AWS Access Key ID via \fB[A\-Z0\-9]{20}\fP
286 AWS Access Key IDs via \fB(A3T[A\-Z0\-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A\-Z0\-9]{16}\fP
156287 .IP \(bu 2
157288 AWS Secret Access Key assignments via ":" or "=" surrounded by optional
158289 quotes
162293 Allowed patterns for example AWS keys (\fBAKIAIOSFODNN7EXAMPLE\fP and
163294 \fBwJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\fP)
164295 .IP \(bu 2
165 Enables using \fB~/.aws/credentials\fP to scan for known credentials.
296 Known credentials from \fB~/.aws/credentials\fP
166297 .UNINDENT
167298 .sp
168299 \fBNOTE:\fP
178309 .TP
179310 .B \fB\-\-aws\-provider\fP
180311 Secret provider that outputs credentials found in an INI file. You can
181 optionally provide the path to an ini file.
312 optionally provide the path to an INI file.
182313 .UNINDENT
183314 .SS Options for \fB\-\-install\fP
184315 .INDENT 0.0
190321 When provided, installs git hooks to the given directory. The current
191322 directory is assumed if \fB<target\-directory>\fP is not provided.
192323 .sp
193 If the provided \fB<target\-directory>\fP is not in a Git repository, the
324 If the provided \fB<target\-directory>\fP is not in a git repository, the
194325 directory will be created and hooks will be placed in
195 \fB<target\-directory>/hooks\fP\&. This can be useful for creating Git template
326 \fB<target\-directory>/hooks\fP\&. This can be useful for creating git template
196327 directories using with \fBgit init \-\-template <target\-directory>\fP\&.
197328 .sp
198329 You can run \fBgit init\fP on a repository that has already been initialized.
199330 From the \fI\%git init documentation\fP:
200331 .INDENT 7.0
201332 .INDENT 3.5
202 From the git documentation: Running git init in an existing repository
333 From the git documentation: Running \fBgit init\fP in an existing repository
203334 is safe. It will not overwrite things that are already there. The
204 primary reason for rerunning git init is to pick up newly added
335 primary reason for rerunning \fBgit init\fP is to pick up newly added
205336 templates (or to move the repository to another place if
206337 \fB\-\-separate\-git\-dir\fP is given).
207338 .UNINDENT
225356 .INDENT 7.0
226357 .INDENT 3.5
227358 Git only allows a single script to be executed per hook. If the
228 repository contains Debian style subdirectories like \fBpre\-commit.d\fP
359 repository contains Debian\-style subdirectories like \fBpre\-commit.d\fP
229360 and \fBcommit\-msg.d\fP, then the git hooks will be installed into these
230361 directories, which assumes that you\(aqve configured the corresponding
231362 hooks to execute all of the scripts found in these directories. If
301432 Searches blobs registered in the index file.
302433 .TP
303434 .B \fB\-\-no\-index\fP
304 Searches files in the current directory that is not managed by Git.
435 Searches files in the current directory that is not managed by git.
305436 .TP
306437 .B \fB\-\-untracked\fP
307438 In addition to searching in the tracked files in the working tree,
509640 .UNINDENT
510641 .SH DEFINING PROHIBITED PATTERNS
511642 .sp
512 egrep compatible regular expressions are used to determine if a commit or
643 \fBegrep\fP\-compatible regular expressions are used to determine if a commit or
513644 commit message contains any prohibited patterns. These regular expressions are
514645 defined using the \fBgit config\fP command. It is important to note that
515646 different systems use different versions of egrep. For example, when running on
516 OS X, you will use a different version of egrep than when running on something
647 macOS, you will use a different version of \fBegrep\fP than when running on something
517648 like Ubuntu (BSD vs GNU).
518649 .sp
519650 You can add prohibited regular expression patterns to your git config using
520651 \fBgit secrets \-\-add <pattern>\fP\&.
521 .SH IGNORING FALSE-POSITIVES
652 .SH IGNORING FALSE POSITIVES
522653 .sp
523654 Sometimes a regular expression might match false positives. For example, git
524655 commit SHAs look a lot like AWS access keys. You can specify many different
535666 .UNINDENT
536667 .sp
537668 You can also add regular expressions patterns to filter false positives to a
538 .gitallowed file located in the repository\(aqs root directory. Lines starting
539 with # are skipped (comment line) and empty lines are also skipped.
669 \fB\&.gitallowed\fP file located in the repository\(aqs root directory. Lines starting
670 with \fB#\fP are skipped (comment line) and empty lines are also skipped.
540671 .sp
541672 First, git\-secrets will extract all lines from a file that contain a prohibited
542673 match. Included in the matched results will be the full path to the name of
543 the file that was matched, followed \(aq:\(aq, followed by the line number that was
674 the file that was matched, followed by \(aq:\(aq, followed by the line number that was
544675 matched, followed by the entire line from the file that was matched by a secret
545676 pattern. Then, if you\(aqve defined allowed regular expressions, git\-secrets will
546677 check to see if all of the matched lines match at least one of your registered
607738 .sp
608739 .nf
609740 .ft C
610 git config \-\-add \(aqpassword\es*=\es*.+\(aq
611 git config \-\-add \-\-allowed \-\-literal \(aqex@mplepassword\(aq
741 git secrets \-\-add \(aqpassword\es*=\es*.+\(aq
742 git secrets \-\-add \-\-allowed \-\-literal \(aqex@mplepassword\(aq
612743 .ft P
613744 .fi
614745 .UNINDENT
671802 .UNINDENT
672803 .UNINDENT
673804 .sp
674 Alternatively, you could whitelist a specific line number of a file if that
805 Alternatively, you could allow a specific line number of a file if that
675806 line is unlikely to change using something like the following:
676807 .INDENT 0.0
677808 .INDENT 3.5
687818 .UNINDENT
688819 .sp
689820 Keep this in mind when creating allowed patterns to ensure that your allowed
690 patterns are not inadvertantly matched due to the fact that the filename is
821 patterns are not inadvertently matched due to the fact that the filename is
691822 included in the subject text that allowed patterns are matched against.
692823 .SH SKIPPING VALIDATION
693824 .sp
694 Use the \fB\-\-no\-verify\fP option in the event of a false\-positive match in a
825 Use the \fB\-\-no\-verify\fP option in the event of a false positive match in a
695826 commit, merge, or commit message. This will skip the execution of the
696827 git hook and allow you to make the commit or merge.
697828 .SH ABOUT
698829 .INDENT 0.0
699830 .IP \(bu 2
700 Author: Michael Dowling <\fI\%https://github.com/mtdowling\fP>
831 Author: \fI\%Michael Dowling\fP
701832 .IP \(bu 2
702833 Issue tracker: This project\(aqs source code and issue tracker can be found at
703834 \fI\%https://github.com/awslabs/git\-secrets\fP