1 | 1 |
.
|
2 | 2 |
.TH GIT-SECRETS "" "" ""
|
3 | 3 |
.SH NAME
|
4 | |
git-secrets \-
|
|
4 |
git-secrets \- Prevents you from committing passwords and other sensitive information to a git repository.
|
5 | 5 |
.
|
6 | 6 |
.nr rst2man-indent-level 0
|
7 | 7 |
.
|
|
29 | 29 |
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
30 | 30 |
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
31 | 31 |
..
|
32 | |
.sp
|
33 | |
Prevents you from committing passwords and other sensitive information to a
|
34 | |
git repository.
|
|
32 |
.SS Contents
|
|
33 |
.INDENT 0.0
|
|
34 |
.IP \(bu 2
|
|
35 |
\fI\%Synopsis\fP
|
|
36 |
.IP \(bu 2
|
|
37 |
\fI\%Description\fP
|
|
38 |
.IP \(bu 2
|
|
39 |
\fI\%Installing git\-secrets\fP
|
|
40 |
.INDENT 2.0
|
|
41 |
.IP \(bu 2
|
|
42 |
\fI\%*nix (Linux/macOS)\fP
|
|
43 |
.IP \(bu 2
|
|
44 |
\fI\%Windows\fP
|
|
45 |
.IP \(bu 2
|
|
46 |
\fI\%Homebrew (for macOS users)\fP
|
|
47 |
.UNINDENT
|
|
48 |
.IP \(bu 2
|
|
49 |
\fI\%Advanced configuration\fP
|
|
50 |
.IP \(bu 2
|
|
51 |
\fI\%Before making public a repository\fP
|
|
52 |
.IP \(bu 2
|
|
53 |
\fI\%Options\fP
|
|
54 |
.INDENT 2.0
|
|
55 |
.IP \(bu 2
|
|
56 |
\fI\%Operation Modes\fP
|
|
57 |
.IP \(bu 2
|
|
58 |
\fI\%Options for \fB\-\-install\fP\fP
|
|
59 |
.IP \(bu 2
|
|
60 |
\fI\%Options for \fB\-\-scan\fP\fP
|
|
61 |
.IP \(bu 2
|
|
62 |
\fI\%Options for \fB\-\-list\fP\fP
|
|
63 |
.IP \(bu 2
|
|
64 |
\fI\%Options for \fB\-\-add\fP\fP
|
|
65 |
.IP \(bu 2
|
|
66 |
\fI\%Options for \fB\-\-register\-aws\fP\fP
|
|
67 |
.IP \(bu 2
|
|
68 |
\fI\%Options for \fB\-\-aws\-provider\fP\fP
|
|
69 |
.IP \(bu 2
|
|
70 |
\fI\%Options for \fB\-\-add\-provider\fP\fP
|
|
71 |
.UNINDENT
|
|
72 |
.IP \(bu 2
|
|
73 |
\fI\%Defining prohibited patterns\fP
|
|
74 |
.IP \(bu 2
|
|
75 |
\fI\%Ignoring false positives\fP
|
|
76 |
.IP \(bu 2
|
|
77 |
\fI\%Secret providers\fP
|
|
78 |
.IP \(bu 2
|
|
79 |
\fI\%Example walkthrough\fP
|
|
80 |
.IP \(bu 2
|
|
81 |
\fI\%Skipping validation\fP
|
|
82 |
.IP \(bu 2
|
|
83 |
\fI\%About\fP
|
|
84 |
.UNINDENT
|
35 | 85 |
.SH SYNOPSIS
|
36 | 86 |
.INDENT 0.0
|
37 | 87 |
.INDENT 3.5
|
|
57 | 107 |
commit message, or any commit in a \fB\-\-no\-ff\fP merge history matches one of
|
58 | 108 |
your configured prohibited regular expression patterns, then the commit is
|
59 | 109 |
rejected.
|
60 | |
.SS Installing git\-secrets
|
|
110 |
.SH INSTALLING GIT-SECRETS
|
61 | 111 |
.sp
|
62 | 112 |
\fBgit\-secrets\fP must be placed somewhere in your PATH so that it is picked up
|
63 | |
by \fBgit\fP when running \fBgit secrets\fP\&. You can use \fBinstall\fP target of the
|
64 | |
provided Makefile to install \fBgit secrets\fP and the man page. You can
|
65 | |
customize the install path using the PREFIX and MANPREFIX variables.
|
|
113 |
by \fBgit\fP when running \fBgit secrets\fP\&.
|
|
114 |
.SS *nix (Linux/macOS)
|
|
115 |
.IP "System Message: WARNING/2 (README.rst:, line 43)"
|
|
116 |
Title underline too short.
|
|
117 |
.INDENT 0.0
|
|
118 |
.INDENT 3.5
|
|
119 |
.sp
|
|
120 |
.nf
|
|
121 |
.ft C
|
|
122 |
\e*nix (Linux/macOS)
|
|
123 |
~~~~~~~~~~~~~~~~~
|
|
124 |
.ft P
|
|
125 |
.fi
|
|
126 |
.UNINDENT
|
|
127 |
.UNINDENT
|
|
128 |
.sp
|
|
129 |
You can use the \fBinstall\fP target of the provided Makefile to install \fBgit secrets\fP and the man page.
|
|
130 |
You can customize the install path using the PREFIX and MANPREFIX variables.
|
66 | 131 |
.INDENT 0.0
|
67 | 132 |
.INDENT 3.5
|
68 | 133 |
.sp
|
|
73 | 138 |
.fi
|
74 | 139 |
.UNINDENT
|
75 | 140 |
.UNINDENT
|
76 | |
.sp
|
77 | |
Or, installing with Homebrew (for OS X users).
|
|
141 |
.SS Windows
|
|
142 |
.sp
|
|
143 |
Run the provided \fBinstall.ps1\fP powershell script. This will copy the needed files
|
|
144 |
to an installation directory (\fB%USERPROFILE%/.git\-secrets\fP by default) and add
|
|
145 |
the directory to the current user \fBPATH\fP\&.
|
|
146 |
.INDENT 0.0
|
|
147 |
.INDENT 3.5
|
|
148 |
.sp
|
|
149 |
.nf
|
|
150 |
.ft C
|
|
151 |
PS > ./install.ps1
|
|
152 |
.ft P
|
|
153 |
.fi
|
|
154 |
.UNINDENT
|
|
155 |
.UNINDENT
|
|
156 |
.SS Homebrew (for macOS users)
|
78 | 157 |
.INDENT 0.0
|
79 | 158 |
.INDENT 3.5
|
80 | 159 |
.sp
|
|
108 | 187 |
.fi
|
109 | 188 |
.UNINDENT
|
110 | 189 |
.UNINDENT
|
|
190 |
.SH ADVANCED CONFIGURATION
|
|
191 |
.sp
|
|
192 |
Add a configuration template if you want to add hooks to all repositories you
|
|
193 |
initialize or clone in the future.
|
|
194 |
.INDENT 0.0
|
|
195 |
.INDENT 3.5
|
|
196 |
.sp
|
|
197 |
.nf
|
|
198 |
.ft C
|
|
199 |
git secrets \-\-register\-aws \-\-global
|
|
200 |
.ft P
|
|
201 |
.fi
|
|
202 |
.UNINDENT
|
|
203 |
.UNINDENT
|
|
204 |
.sp
|
|
205 |
Add hooks to all your local repositories.
|
|
206 |
.INDENT 0.0
|
|
207 |
.INDENT 3.5
|
|
208 |
.sp
|
|
209 |
.nf
|
|
210 |
.ft C
|
|
211 |
git secrets \-\-install ~/.git\-templates/git\-secrets
|
|
212 |
git config \-\-global init.templateDir ~/.git\-templates/git\-secrets
|
|
213 |
.ft P
|
|
214 |
.fi
|
|
215 |
.UNINDENT
|
|
216 |
.UNINDENT
|
|
217 |
.sp
|
|
218 |
Add custom providers to scan for security credentials.
|
|
219 |
.INDENT 0.0
|
|
220 |
.INDENT 3.5
|
|
221 |
.sp
|
|
222 |
.nf
|
|
223 |
.ft C
|
|
224 |
git secrets \-\-add\-provider \-\- cat /path/to/secret/file/patterns
|
|
225 |
.ft P
|
|
226 |
.fi
|
|
227 |
.UNINDENT
|
|
228 |
.UNINDENT
|
|
229 |
.SH BEFORE MAKING PUBLIC A REPOSITORY
|
|
230 |
.sp
|
|
231 |
With git\-secrets is also possible to scan a repository including all revisions:
|
|
232 |
.INDENT 0.0
|
|
233 |
.INDENT 3.5
|
|
234 |
.sp
|
|
235 |
.nf
|
|
236 |
.ft C
|
|
237 |
git secrets \-\-scan\-history
|
|
238 |
.ft P
|
|
239 |
.fi
|
|
240 |
.UNINDENT
|
|
241 |
.UNINDENT
|
111 | 242 |
.SH OPTIONS
|
112 | 243 |
.SS Operation Modes
|
113 | 244 |
.sp
|
|
115 | 246 |
.INDENT 0.0
|
116 | 247 |
.TP
|
117 | 248 |
.B \fB\-\-install\fP
|
118 | |
Installs hooks for a repository. Once the hooks are installed for a git
|
119 | |
repository, commits and non\-ff merges for that repository will be prevented
|
|
249 |
Installs git hooks for a repository. Once the hooks are installed for a git
|
|
250 |
repository, commits and non\-fast\-forward merges for that repository will be prevented
|
120 | 251 |
from committing secrets.
|
121 | 252 |
.TP
|
122 | 253 |
.B \fB\-\-scan\fP
|
123 | 254 |
Scans one or more files for secrets. When a file contains a secret, the
|
124 | 255 |
matched text from the file being scanned will be written to stdout and the
|
125 | |
script will exit with a non\-zero RC. Each matched line will be written with
|
|
256 |
script will exit with a non\-zero status. Each matched line will be written with
|
126 | 257 |
the name of the file that matched, a colon, the line number that matched,
|
127 | 258 |
a colon, and then the line of text that matched. If no files are provided,
|
128 | 259 |
all files returned by \fBgit ls\-files\fP are scanned.
|
|
130 | 261 |
.B \fB\-\-scan\-history\fP
|
131 | 262 |
Scans repository including all revisions. When a file contains a secret, the
|
132 | 263 |
matched text from the file being scanned will be written to stdout and the
|
133 | |
script will exit with a non\-zero RC. Each matched line will be written with
|
|
264 |
script will exit with a non\-zero status. Each matched line will be written with
|
134 | 265 |
the name of the file that matched, a colon, the line number that matched,
|
135 | 266 |
a colon, and then the line of text that matched.
|
136 | 267 |
.TP
|
137 | 268 |
.B \fB\-\-list\fP
|
138 | |
Lists the git\-secrets configuration for the current repo or in the global
|
|
269 |
Lists the \fBgit\-secrets\fP configuration for the current repo or in the global
|
139 | 270 |
git config.
|
140 | 271 |
.TP
|
141 | 272 |
.B \fB\-\-add\fP
|
|
143 | 274 |
.TP
|
144 | 275 |
.B \fB\-\-add\-provider\fP
|
145 | 276 |
Registers a secret provider. Secret providers are executables that when
|
146 | |
invoked outputs prohibited patterns that \fBgit\-secrets\fP should treat as
|
|
277 |
invoked output prohibited patterns that \fBgit\-secrets\fP should treat as
|
147 | 278 |
prohibited.
|
148 | 279 |
.TP
|
149 | 280 |
.B \fB\-\-register\-aws\fP
|
|
152 | 283 |
checks are added:
|
153 | 284 |
.INDENT 7.0
|
154 | 285 |
.IP \(bu 2
|
155 | |
AWS Access Key ID via \fB[A\-Z0\-9]{20}\fP
|
|
286 |
AWS Access Key IDs via \fB(A3T[A\-Z0\-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A\-Z0\-9]{16}\fP
|
156 | 287 |
.IP \(bu 2
|
157 | 288 |
AWS Secret Access Key assignments via ":" or "=" surrounded by optional
|
158 | 289 |
quotes
|
|
162 | 293 |
Allowed patterns for example AWS keys (\fBAKIAIOSFODNN7EXAMPLE\fP and
|
163 | 294 |
\fBwJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\fP)
|
164 | 295 |
.IP \(bu 2
|
165 | |
Enables using \fB~/.aws/credentials\fP to scan for known credentials.
|
|
296 |
Known credentials from \fB~/.aws/credentials\fP
|
166 | 297 |
.UNINDENT
|
167 | 298 |
.sp
|
168 | 299 |
\fBNOTE:\fP
|
|
178 | 309 |
.TP
|
179 | 310 |
.B \fB\-\-aws\-provider\fP
|
180 | 311 |
Secret provider that outputs credentials found in an INI file. You can
|
181 | |
optionally provide the path to an ini file.
|
|
312 |
optionally provide the path to an INI file.
|
182 | 313 |
.UNINDENT
|
183 | 314 |
.SS Options for \fB\-\-install\fP
|
184 | 315 |
.INDENT 0.0
|
|
190 | 321 |
When provided, installs git hooks to the given directory. The current
|
191 | 322 |
directory is assumed if \fB<target\-directory>\fP is not provided.
|
192 | 323 |
.sp
|
193 | |
If the provided \fB<target\-directory>\fP is not in a Git repository, the
|
|
324 |
If the provided \fB<target\-directory>\fP is not in a git repository, the
|
194 | 325 |
directory will be created and hooks will be placed in
|
195 | |
\fB<target\-directory>/hooks\fP\&. This can be useful for creating Git template
|
|
326 |
\fB<target\-directory>/hooks\fP\&. This can be useful for creating git template
|
196 | 327 |
directories using with \fBgit init \-\-template <target\-directory>\fP\&.
|
197 | 328 |
.sp
|
198 | 329 |
You can run \fBgit init\fP on a repository that has already been initialized.
|
199 | 330 |
From the \fI\%git init documentation\fP:
|
200 | 331 |
.INDENT 7.0
|
201 | 332 |
.INDENT 3.5
|
202 | |
From the git documentation: Running git init in an existing repository
|
|
333 |
From the git documentation: Running \fBgit init\fP in an existing repository
|
203 | 334 |
is safe. It will not overwrite things that are already there. The
|
204 | |
primary reason for rerunning git init is to pick up newly added
|
|
335 |
primary reason for rerunning \fBgit init\fP is to pick up newly added
|
205 | 336 |
templates (or to move the repository to another place if
|
206 | 337 |
\fB\-\-separate\-git\-dir\fP is given).
|
207 | 338 |
.UNINDENT
|
|
225 | 356 |
.INDENT 7.0
|
226 | 357 |
.INDENT 3.5
|
227 | 358 |
Git only allows a single script to be executed per hook. If the
|
228 | |
repository contains Debian style subdirectories like \fBpre\-commit.d\fP
|
|
359 |
repository contains Debian\-style subdirectories like \fBpre\-commit.d\fP
|
229 | 360 |
and \fBcommit\-msg.d\fP, then the git hooks will be installed into these
|
230 | 361 |
directories, which assumes that you\(aqve configured the corresponding
|
231 | 362 |
hooks to execute all of the scripts found in these directories. If
|
|
301 | 432 |
Searches blobs registered in the index file.
|
302 | 433 |
.TP
|
303 | 434 |
.B \fB\-\-no\-index\fP
|
304 | |
Searches files in the current directory that is not managed by Git.
|
|
435 |
Searches files in the current directory that is not managed by git.
|
305 | 436 |
.TP
|
306 | 437 |
.B \fB\-\-untracked\fP
|
307 | 438 |
In addition to searching in the tracked files in the working tree,
|
|
509 | 640 |
.UNINDENT
|
510 | 641 |
.SH DEFINING PROHIBITED PATTERNS
|
511 | 642 |
.sp
|
512 | |
egrep compatible regular expressions are used to determine if a commit or
|
|
643 |
\fBegrep\fP\-compatible regular expressions are used to determine if a commit or
|
513 | 644 |
commit message contains any prohibited patterns. These regular expressions are
|
514 | 645 |
defined using the \fBgit config\fP command. It is important to note that
|
515 | 646 |
different systems use different versions of egrep. For example, when running on
|
516 | |
OS X, you will use a different version of egrep than when running on something
|
|
647 |
macOS, you will use a different version of \fBegrep\fP than when running on something
|
517 | 648 |
like Ubuntu (BSD vs GNU).
|
518 | 649 |
.sp
|
519 | 650 |
You can add prohibited regular expression patterns to your git config using
|
520 | 651 |
\fBgit secrets \-\-add <pattern>\fP\&.
|
521 | |
.SH IGNORING FALSE-POSITIVES
|
|
652 |
.SH IGNORING FALSE POSITIVES
|
522 | 653 |
.sp
|
523 | 654 |
Sometimes a regular expression might match false positives. For example, git
|
524 | 655 |
commit SHAs look a lot like AWS access keys. You can specify many different
|
|
535 | 666 |
.UNINDENT
|
536 | 667 |
.sp
|
537 | 668 |
You can also add regular expressions patterns to filter false positives to a
|
538 | |
.gitallowed file located in the repository\(aqs root directory. Lines starting
|
539 | |
with # are skipped (comment line) and empty lines are also skipped.
|
|
669 |
\fB\&.gitallowed\fP file located in the repository\(aqs root directory. Lines starting
|
|
670 |
with \fB#\fP are skipped (comment line) and empty lines are also skipped.
|
540 | 671 |
.sp
|
541 | 672 |
First, git\-secrets will extract all lines from a file that contain a prohibited
|
542 | 673 |
match. Included in the matched results will be the full path to the name of
|
543 | |
the file that was matched, followed \(aq:\(aq, followed by the line number that was
|
|
674 |
the file that was matched, followed by \(aq:\(aq, followed by the line number that was
|
544 | 675 |
matched, followed by the entire line from the file that was matched by a secret
|
545 | 676 |
pattern. Then, if you\(aqve defined allowed regular expressions, git\-secrets will
|
546 | 677 |
check to see if all of the matched lines match at least one of your registered
|
|
607 | 738 |
.sp
|
608 | 739 |
.nf
|
609 | 740 |
.ft C
|
610 | |
git config \-\-add \(aqpassword\es*=\es*.+\(aq
|
611 | |
git config \-\-add \-\-allowed \-\-literal \(aqex@mplepassword\(aq
|
|
741 |
git secrets \-\-add \(aqpassword\es*=\es*.+\(aq
|
|
742 |
git secrets \-\-add \-\-allowed \-\-literal \(aqex@mplepassword\(aq
|
612 | 743 |
.ft P
|
613 | 744 |
.fi
|
614 | 745 |
.UNINDENT
|
|
671 | 802 |
.UNINDENT
|
672 | 803 |
.UNINDENT
|
673 | 804 |
.sp
|
674 | |
Alternatively, you could whitelist a specific line number of a file if that
|
|
805 |
Alternatively, you could allow a specific line number of a file if that
|
675 | 806 |
line is unlikely to change using something like the following:
|
676 | 807 |
.INDENT 0.0
|
677 | 808 |
.INDENT 3.5
|
|
687 | 818 |
.UNINDENT
|
688 | 819 |
.sp
|
689 | 820 |
Keep this in mind when creating allowed patterns to ensure that your allowed
|
690 | |
patterns are not inadvertantly matched due to the fact that the filename is
|
|
821 |
patterns are not inadvertently matched due to the fact that the filename is
|
691 | 822 |
included in the subject text that allowed patterns are matched against.
|
692 | 823 |
.SH SKIPPING VALIDATION
|
693 | 824 |
.sp
|
694 | |
Use the \fB\-\-no\-verify\fP option in the event of a false\-positive match in a
|
|
825 |
Use the \fB\-\-no\-verify\fP option in the event of a false positive match in a
|
695 | 826 |
commit, merge, or commit message. This will skip the execution of the
|
696 | 827 |
git hook and allow you to make the commit or merge.
|
697 | 828 |
.SH ABOUT
|
698 | 829 |
.INDENT 0.0
|
699 | 830 |
.IP \(bu 2
|
700 | |
Author: Michael Dowling <\fI\%https://github.com/mtdowling\fP>
|
|
831 |
Author: \fI\%Michael Dowling\fP
|
701 | 832 |
.IP \(bu 2
|
702 | 833 |
Issue tracker: This project\(aqs source code and issue tracker can be found at
|
703 | 834 |
\fI\%https://github.com/awslabs/git\-secrets\fP
|