diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index ab40d21..c71125b 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -1,6 +1,7 @@ -*Issue #, if available:* +# -*Description of changes:* +_Issue #, if available:_ +_Description of changes:_ By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. diff --git a/CHANGELOG.md b/CHANGELOG.md index cfcae4e..494a3ca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,48 +2,48 @@ ## 1.3.0 - 2019-02-10 -* Empty provider output is now excluded - (https://github.com/awslabs/git-secrets/issues/34) -* Spaces are now supported in git exec path, making more Windows +- Empty provider output is now excluded + +- Spaces are now supported in git exec path, making more Windows paths execute properly. -* Patterns with newlines and carriage returns are now loaded properly. -* Patterns that contain only "\n" are now ignored. -* Various Bash 4 fixes (https://github.com/awslabs/git-secrets/issues/66). -* Make IAM key scanning much more targeted. +- Patterns with newlines and carriage returns are now loaded properly. +- Patterns that contain only "\n" are now ignored. +- Various Bash 4 fixes . +- Make IAM key scanning much more targeted. ## 1.2.1 - 2016-06-27 -* Fixed an issue where secret provider commands were causing "command not +- Fixed an issue where secret provider commands were causing "command not found" errors due to a previously set IFS variable. - https://github.com/awslabs/git-secrets/pull/30 + ## 1.2.0 - 2016-05-23 -* Fixed an issue where spaces files with spaces in their names were not being +- Fixed an issue where spaces files with spaces in their names were not being properly scanned in the pre-commit hook. -* Now ignoring empty lines and comments (e.g., `#`) in the .gitallowed file. -* Fixed an issue where numbers were being compared to strings causing failures +- Now ignoring empty lines and comments (e.g., `#`) in the .gitallowed file. +- Fixed an issue where numbers were being compared to strings causing failures on some platforms. ## 1.1.0 - 2016-04-06 -* Bug fix: the pre-commit hook previously only scanned the working directory +- Bug fix: the pre-commit hook previously only scanned the working directory rather than staged files. This release updates the pre-commit hook to instead scan staged files so that git-secrets will detect violations if the working directory drifts from the staging directory. -* Added the `--scan-history` subcommand so that you can scan your entire +- Added the `--scan-history` subcommand so that you can scan your entire git history for violations. -* Added the ability to filter false positives by using a .gitallowed file. -* Added support for `--cached`, `--no-index`, and `--untracked` to the `--scan` +- Added the ability to filter false positives by using a .gitallowed file. +- Added support for `--cached`, `--no-index`, and `--untracked` to the `--scan` subcommand. ## 1.0.1 - 2016-01-11 -* Now works correctly with filenames in a repository that contain spaces when +- Now works correctly with filenames in a repository that contain spaces when executing `git secrets --scan` with no provided filename (via `git grep`). -* Now works with git repositories with hundreds of thousands of files when +- Now works with git repositories with hundreds of thousands of files when using `git secrets --scan` with no provided filename (via `git grep`). ## 1.0.0 - 2015-12-10 -* Initial release of ``git-secrets``. +- Initial release of `git-secrets`. diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 3b64466..21634a0 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -1,4 +1,5 @@ -## Code of Conduct -This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). -For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact +# Code of Conduct + +This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). +For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact opensource-codeofconduct@amazon.com with any additional questions or comments. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index de6d3d3..f71636e 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,29 +1,28 @@ # Contributing Guidelines -Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional +Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional documentation, we greatly value feedback and contributions from our community. -Please read through this document before submitting any issues or pull requests to ensure we have all the necessary +Please read through this document before submitting any issues or pull requests to ensure we have all the necessary information to effectively respond to your bug report or contribution. - ## Reporting Bugs/Feature Requests We welcome you to use the GitHub issue tracker to report bugs or suggest features. -When filing an issue, please check [existing open](https://github.com/awslabs/git-secrets/issues), or [recently closed](https://github.com/awslabs/git-secrets/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aclosed%20), issues to make sure somebody else hasn't already +When filing an issue, please check [existing open](https://github.com/awslabs/git-secrets/issues), or [recently closed](https://github.com/awslabs/git-secrets/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aclosed%20), issues to make sure somebody else hasn't already reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: -* A reproducible test case or series of steps -* The version of our code being used -* Any modifications you've made relevant to the bug -* Anything unusual about your environment or deployment - +- A reproducible test case or series of steps +- The version of our code being used +- Any modifications you've made relevant to the bug +- Anything unusual about your environment or deployment ## Contributing via Pull Requests + Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: -1. You are working against the latest source on the *master* branch. +1. You are working against the latest source on the _master_ branch. 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. @@ -36,23 +35,22 @@ To send us a pull request, please: 5. Send us a pull request, answering any default questions in the pull request interface. 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. -GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and +GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). - ## Finding contributions to work on -Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels ((enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any ['help wanted'](https://github.com/awslabs/git-secrets/labels/help%20wanted) issues is a great place to start. +Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels ((enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any ['help wanted'](https://github.com/awslabs/git-secrets/labels/help%20wanted) issues is a great place to start. ## Code of Conduct -This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). -For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact -opensource-codeofconduct@amazon.com with any additional questions or comments. +This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). +For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact +opensource-codeofconduct@amazon.com with any additional questions or comments. ## Security issue notifications -If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. +If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. ## Licensing diff --git a/LICENSE.txt b/LICENSE similarity index 100% rename from LICENSE.txt rename to LICENSE diff --git a/NOTICE.txt b/NOTICE.md similarity index 92% rename from NOTICE.txt rename to NOTICE.md index a5e5da9..928db10 100644 --- a/NOTICE.txt +++ b/NOTICE.md @@ -1,4 +1,5 @@ -git-secrets +# git-secrets + Copyright 2015 Amazon.com, Inc. or its affiliates. All Rights Reserved. bats diff --git a/README.md b/README.md new file mode 100644 index 0000000..90fbbc5 --- /dev/null +++ b/README.md @@ -0,0 +1,365 @@ +# Git Secrets + +Prevents you from committing passwords and other sensitive information to a git repository. + +![GitHub](https://img.shields.io/github/license/awslabs/git-secrets?color=dark-green) +[![Build Status](https://travis-ci.org/awslabs/git-secrets.svg?branch=master)](https://travis-ci.org/awslabs/git-secrets) + +## Synopsis + + git secrets --scan [-r|--recursive] [--cached] [--no-index] [--untracked] [...] + git secrets --scan-history + git secrets --install [-f|--force] [] + git secrets --list [--global] + git secrets --add [-a|--allowed] [-l|--literal] [--global] + git secrets --add-provider [--global] [arguments...] + git secrets --register-aws [--global] + git secrets --aws-provider [] + +## About + +`git-secrets` scans commits, commit messages, and `--no-ff` merges to prevent adding secrets into your git repositories. If a commit, commit message, or any commit in a `--no-ff` merge history matches one of your configured prohibited regular expression patterns, then the commit is rejected. + +## Installation + +`git-secrets` must be placed somewhere in your PATH so that it is picked up by `git` when running `git secrets`. + +### \*nix (Linux/macOS) + +You can use the `install` target of the provided Makefile to install `git secrets` and the man page. You can customize the install path using the PREFIX and MANPREFIX variables. + + make install + +### Windows + +Run the provided `install.ps1` powershell script. This will copy the needed files to an installation directory (`%USERPROFILE%/.git-secrets` by default) and add the directory to the current user `PATH`. + + PS > ./install.ps1 + +### Homebrew (for macOS users) + + brew install git-secrets + +> **warning** +> +> You're not done yet! You MUST install the git hooks for every repo that you wish to use with `git secrets --install`. + +Here's a quick example of how to ensure a git repository is scanned for secrets on each commit: + + cd /path/to/my/repo + git secrets --install + git secrets --register-aws + +### Advanced configuration + +Add a configuration template if you want to add hooks to all repositories you initialize or clone in the future. + + git secrets --register-aws --global + +Add hooks to all your local repositories. + + git secrets --install ~/.git-templates/git-secrets + git config --global init.templateDir ~/.git-templates/git-secrets + +Add custom providers to scan for security credentials. + + git secrets --add-provider -- cat /path/to/secret/file/patterns + +### Before making public a repository + +With git-secrets is also possible to scan a repository including all revisions: + + git secrets --scan-history + +### Options + +#### Operation Modes + +Each of these options must appear first on the command line. + +`--install` +Installs git hooks for a repository. Once the hooks are installed for a git repository, commits and non-fast-forward merges for that repository will be prevented from committing secrets. + +`--scan` +Scans one or more files for secrets. When a file contains a secret, the matched text from the file being scanned will be written to stdout and the script will exit with a non-zero status. Each matched line will be written with the name of the file that matched, a colon, the line number that matched, a colon, and then the line of text that matched. If no files are provided, all files returned by `git ls-files` are scanned. + +`--scan-history` +Scans repository including all revisions. When a file contains a secret, the matched text from the file being scanned will be written to stdout and the script will exit with a non-zero status. Each matched line will be written with the name of the file that matched, a colon, the line number that matched, a colon, and then the line of text that matched. + +`--list` +Lists the `git-secrets` configuration for the current repo or in the global git config. + +`--add` +Adds a prohibited or allowed pattern. + +`--add-provider` +Registers a secret provider. Secret providers are executables that when invoked output prohibited patterns that `git-secrets` should treat as prohibited. + +`--register-aws` +Adds common AWS patterns to the git config and ensures that keys present in `~/.aws/credentials` are not found in any commit. The following checks are added: + +- AWS Access Key IDs via `(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}` +- AWS Secret Access Key assignments via ":" or "=" surrounded by optional quotes +- AWS account ID assignments via ":" or "=" surrounded by optional quotes +- Allowed patterns for example AWS keys (`AKIAIOSFODNN7EXAMPLE` and `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`) +- Known credentials from `~/.aws/credentials` + +> **note** +> +> While the patterns registered by this command should catch most instances of AWS credentials, these patterns are **not** guaranteed to catch them **all**. `git-secrets` should be used as an extra means of insurance -- you still need to do your due diligence to ensure that you do not commit credentials to a repository. + +`--aws-provider` +Secret provider that outputs credentials found in an INI file. You can optionally provide the path to an INI file. + +#### Options for `--install` + +`-f, --force` +Overwrites existing hooks if present. + +`` +When provided, installs git hooks to the given directory. The current directory is assumed if `` is not provided. + +If the provided `` is not in a git repository, the directory will be created and hooks will be placed in `/hooks`. This can be useful for creating git template directories using with `git init --template `. + +You can run `git init` on a repository that has already been initialized. From the [git init documentation](https://git-scm.com/docs/git-init): + +> From the git documentation: Running `git init` in an existing repository is safe. It will not overwrite things that are already there. The primary reason for rerunning `git init` is to pick up newly added templates (or to move the repository to another place if `--separate-git-dir` is given). + +The following git hooks are installed: + +1. `pre-commit`: Used to check if any of the files changed in the commit use prohibited patterns. +2. `commit-msg`: Used to determine if a commit message contains a prohibited patterns. +3. `prepare-commit-msg`: Used to determine if a merge commit will introduce a history that contains a prohibited pattern at any point. Please note that this hook is only invoked for non fast-forward merges. + +> **note** +> +> Git only allows a single script to be executed per hook. If the repository contains Debian-style subdirectories like `pre-commit.d` and `commit-msg.d`, then the git hooks will be installed into these directories, which assumes that you've configured the corresponding hooks to execute all of the scripts found in these directories. If these git subdirectories are not present, then the git hooks will be installed to the git repo's `.git/hooks` directory. + +##### Examples + +Install git hooks to the current directory: + + cd /path/to/my/repository + git secrets --install + +Install git hooks to a repository other than the current directory: + + git secrets --install /path/to/my/repository + +Create a git template that has `git-secrets` installed, and then copy that template into a git repository: + + git secrets --install ~/.git-templates/git-secrets + git init --template ~/.git-templates/git-secrets + +Overwrite existing hooks if present: + + git secrets --install -f + +#### Options for `--scan` + +`-r, --recursive` +Scans the given files recursively. If a directory is encountered, the directory will be scanned. If `-r` is not provided, directories will be ignored. + +`-r` cannot be used alongside `--cached`, `--no-index`, or `--untracked`. + +`--cached` +Searches blobs registered in the index file. + +`--no-index` +Searches files in the current directory that is not managed by git. + +`--untracked` +In addition to searching in the tracked files in the working tree, `--scan` also in untracked files. + +`...` +The path to one or more files on disk to scan for secrets. + +If no files are provided, all files returned by `git ls-files` are scanned. + +Examples + +- Scan all files in the repo: + + git secrets --scan + +- Scans a single file for secrets: + + git secrets --scan /path/to/file + +- Scans a directory recursively for secrets: + + git secrets --scan -r /path/to/directory + +- Scans multiple files for secrets: + + git secrets --scan /path/to/file /path/to/other/file + +- You can scan by globbing: + + git secrets --scan /path/to/directory/\* + +Scan from stdin: + + echo 'hello!' | git secrets --scan - + +#### Options for `--list` + +`--global` +Lists only git-secrets configuration in the global git config. + +#### Options for `--add` + +`--global` +Adds patterns to the global git config + +`-l, --literal` +Escapes special regular expression characters in the provided pattern so that the pattern is searched for literally. + +`-a, --allowed` +Mark the pattern as allowed instead of prohibited. Allowed patterns are used to filter our false positives. + +`` +The regex pattern to search. + +Examples: + +- Adds a prohibited pattern to the current repo: + + git secrets --add '[A-Z0-9]{20}' + +- Adds a prohibited pattern to the global git config: + + git secrets --add --global '[A-Z0-9]{20}' + +- Adds a string that is scanned for literally (`+` is escaped): + + git secrets --add --literal 'foo+bar' + +- Add an allowed pattern: + + git secrets --add -a 'allowed pattern' + +#### Options for `--register-aws` + +`--global` +Adds AWS specific configuration variables to the global git config. + +#### Options for `--aws-provider` + +`[]` +If provided, specifies the custom path to an INI file to scan. If not provided, `~/.aws/credentials` is assumed. + +#### Options for `--add-provider` + +`--global` +Adds the provider to the global git config. + +`` +Provider command to invoke. When invoked the command is expected to write prohibited patterns separated by new lines to stdout. Any extra arguments provided are passed on to the command. + +Examples + +- Registers a secret provider with arguments: + + git secrets --add-provider -- git secrets --aws-provider + +- Cats secrets out of a file: + + git secrets --add-provider -- cat /path/to/secret/file/patterns + +### Defining prohibited patterns + +`egrep`-compatible regular expressions are used to determine if a commit or commit message contains any prohibited patterns. These regular expressions are defined using the `git config` command. It is important to note that different systems use different versions of egrep. For example, when running on macOS, you will use a different version of `egrep` than when running on something like Ubuntu (BSD vs GNU). + +You can add prohibited regular expression patterns to your git config using `git secrets --add `. + +### Ignoring false positives + +Sometimes a regular expression might match false positives. For example, git commit SHAs look a lot like AWS access keys. You can specify many different regular expression patterns as false positives using the following command: + + git secrets --add --allowed 'my regex pattern' + +You can also add regular expressions patterns to filter false positives to a `.gitallowed` file located in the repository's root directory. Lines starting with `#` are skipped (comment line) and empty lines are also skipped. + +First, git-secrets will extract all lines from a file that contain a prohibited match. Included in the matched results will be the full path to the name of the file that was matched, followed by ':', followed by the line number that was matched, followed by the entire line from the file that was matched by a secret pattern. Then, if you've defined allowed regular expressions, git-secrets will check to see if all of the matched lines match at least one of your registered allowed regular expressions. If all of the lines that were flagged as secret are canceled out by an allowed match, then the subject text does not contain any secrets. If any of the matched lines are not matched by an allowed regular expression, then git-secrets will fail the commit/merge/message. + +> **important** +> +> Just as it is a bad practice to add prohibited patterns that are too greedy, it is also a bad practice to add allowed patterns that are too forgiving. Be sure to test out your patterns using ad-hoc calls to `git secrets --scan $filename` to ensure they are working as intended. + +### Secret providers + +Sometimes you want to check for an exact pattern match against a set of known secrets. For example, you might want to ensure that no credentials present in `~/.aws/credentials` ever show up in a commit. In these cases, it's better to leave these secrets in one location rather than spread them out across git repositories in git configs. You can use "secret providers" to fetch these types of credentials. A secret provider is an executable that when invoked outputs prohibited patterns separated by new lines. + +You can add secret providers using the `--add-provider` command: + + git secrets --add-provider -- git secrets --aws-provider + +Notice the use of `--`. This ensures that any arguments associated with the provider are passed to the provider each time it is invoked when scanning for secrets. + +### Example walkthrough + +Let's take a look at an example. Given the following subject text (stored in `/tmp/example`): + + This is a test! + password=ex@mplepassword + password=****** + More test... + +And the following registered patterns: + + git secrets --add 'password\s*=\s*.+' + git secrets --add --allowed --literal 'ex@mplepassword' + +Running `git secrets --scan /tmp/example`, the result will result in the following error output: + + /tmp/example:3:password=****** + + [ERROR] Matched prohibited pattern + + Possible mitigations: + - Mark false positives as allowed using: git config --add secrets.allowed ... + - List your configured patterns: git config --get-all secrets.patterns + - List your configured allowed patterns: git config --get-all secrets.allowed + - Use --no-verify if this is a one-time false positive + +Breaking this down, the prohibited pattern value of `password\s*=\s*.+` will match the following lines: + + /tmp/example:2:password=ex@mplepassword + /tmp/example:3:password=****** + +...But the first match will be filtered out due to the fact that it matches the allowed regular expression of `ex@mplepassword`. Because there is still a remaining line that did not match, it is considered a secret. + +Because that matching lines are placed on lines that start with the filename and line number (e.g., `/tmp/example:3:...`), you can create allowed patterns that take filenames and line numbers into account in the regular expression. For example, you could whitelist an entire file using something like: + + git secrets --add --allowed '/tmp/example:.*' + git secrets --scan /tmp/example && echo $? + # Outputs: 0 + +Alternatively, you could allow a specific line number of a file if that line is unlikely to change using something like the following: + + git secrets --add --allowed '/tmp/example:3:.*' + git secrets --scan /tmp/example && echo $? + # Outputs: 0 + +Keep this in mind when creating allowed patterns to ensure that your allowed patterns are not inadvertently matched due to the fact that the filename is included in the subject text that allowed patterns are matched against. + +### Skipping validation + +Use the `--no-verify` option in the event of a false positive match in a commit, merge, or commit message. This will skip the execution of the git hook and allow you to make the commit or merge. + +## Author + +- [Michael Dowling](https://github.com/mtdowling) + +## Issue tracker + +- This project's source code and issue tracker can be found at [](https://github.com/awslabs/git-secrets) + +## Credits + +- Special thanks to Adrian Vatchinsky and Ari Juels of Cornell University for providing suggestions and feedback. + +## License + +[Copyright 2015 Amazon.com, Inc. or its affiliates. All Rights Reserved.](LICENSE) diff --git a/README.rst b/README.rst deleted file mode 100644 index 13f7c02..0000000 --- a/README.rst +++ /dev/null @@ -1,543 +0,0 @@ -=========== -git-secrets -=========== - -------------------------------------------------------------------------------------------- -Prevents you from committing passwords and other sensitive information to a git repository. -------------------------------------------------------------------------------------------- - -.. contents:: :depth: 2 - -Synopsis --------- - -:: - - git secrets --scan [-r|--recursive] [--cached] [--no-index] [--untracked] [...] - git secrets --scan-history - git secrets --install [-f|--force] [] - git secrets --list [--global] - git secrets --add [-a|--allowed] [-l|--literal] [--global] - git secrets --add-provider [--global] [arguments...] - git secrets --register-aws [--global] - git secrets --aws-provider [] - - -Description ------------ - -``git-secrets`` scans commits, commit messages, and ``--no-ff`` merges to -prevent adding secrets into your git repositories. If a commit, -commit message, or any commit in a ``--no-ff`` merge history matches one of -your configured prohibited regular expression patterns, then the commit is -rejected. - - -Installing git-secrets ----------------------- - -``git-secrets`` must be placed somewhere in your PATH so that it is picked up -by ``git`` when running ``git secrets``. - -\*nix (Linux/macOS) -~~~~~~~~~~~~~~~~~~~ - -You can use the ``install`` target of the provided Makefile to install ``git secrets`` and the man page. -You can customize the install path using the PREFIX and MANPREFIX variables. - -:: - - make install - -Windows -~~~~~~~ - -Run the provided ``install.ps1`` powershell script. This will copy the needed files -to an installation directory (``%USERPROFILE%/.git-secrets`` by default) and add -the directory to the current user ``PATH``. - -:: - - PS > ./install.ps1 - -Homebrew (for macOS users) -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -:: - - brew install git-secrets - -.. warning:: - - You're not done yet! You MUST install the git hooks for every repo that - you wish to use with ``git secrets --install``. - -Here's a quick example of how to ensure a git repository is scanned for secrets -on each commit:: - - cd /path/to/my/repo - git secrets --install - git secrets --register-aws - - -Advanced configuration ----------------------- - -Add a configuration template if you want to add hooks to all repositories you -initialize or clone in the future. - -:: - - git secrets --register-aws --global - - -Add hooks to all your local repositories. - -:: - - git secrets --install ~/.git-templates/git-secrets - git config --global init.templateDir ~/.git-templates/git-secrets - - -Add custom providers to scan for security credentials. - -:: - - git secrets --add-provider -- cat /path/to/secret/file/patterns - - -Before making public a repository ---------------------------------- - -With git-secrets is also possible to scan a repository including all revisions: - -:: - - git secrets --scan-history - - -Options -------- - -Operation Modes -~~~~~~~~~~~~~~~ - -Each of these options must appear first on the command line. - -``--install`` - Installs git hooks for a repository. Once the hooks are installed for a git - repository, commits and non-fast-forward merges for that repository will be prevented - from committing secrets. - -``--scan`` - Scans one or more files for secrets. When a file contains a secret, the - matched text from the file being scanned will be written to stdout and the - script will exit with a non-zero status. Each matched line will be written with - the name of the file that matched, a colon, the line number that matched, - a colon, and then the line of text that matched. If no files are provided, - all files returned by ``git ls-files`` are scanned. - -``--scan-history`` - Scans repository including all revisions. When a file contains a secret, the - matched text from the file being scanned will be written to stdout and the - script will exit with a non-zero status. Each matched line will be written with - the name of the file that matched, a colon, the line number that matched, - a colon, and then the line of text that matched. - -``--list`` - Lists the ``git-secrets`` configuration for the current repo or in the global - git config. - -``--add`` - Adds a prohibited or allowed pattern. - -``--add-provider`` - Registers a secret provider. Secret providers are executables that when - invoked output prohibited patterns that ``git-secrets`` should treat as - prohibited. - -``--register-aws`` - Adds common AWS patterns to the git config and ensures that keys present - in ``~/.aws/credentials`` are not found in any commit. The following - checks are added: - - - AWS Access Key IDs via ``(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}`` - - AWS Secret Access Key assignments via ":" or "=" surrounded by optional - quotes - - AWS account ID assignments via ":" or "=" surrounded by optional quotes - - Allowed patterns for example AWS keys (``AKIAIOSFODNN7EXAMPLE`` and - ``wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY``) - - Known credentials from ``~/.aws/credentials`` - - .. note:: - - While the patterns registered by this command should catch most - instances of AWS credentials, these patterns are **not** guaranteed to - catch them **all**. ``git-secrets`` should be used as an extra means of - insurance -- you still need to do your due diligence to ensure that you - do not commit credentials to a repository. - -``--aws-provider`` - Secret provider that outputs credentials found in an INI file. You can - optionally provide the path to an INI file. - - -Options for ``--install`` -~~~~~~~~~~~~~~~~~~~~~~~~~ - -``-f, --force`` - Overwrites existing hooks if present. - -```` - When provided, installs git hooks to the given directory. The current - directory is assumed if ```` is not provided. - - If the provided ```` is not in a git repository, the - directory will be created and hooks will be placed in - ``/hooks``. This can be useful for creating git template - directories using with ``git init --template ``. - - You can run ``git init`` on a repository that has already been initialized. - From the `git init documentation `_: - - From the git documentation: Running ``git init`` in an existing repository - is safe. It will not overwrite things that are already there. The - primary reason for rerunning ``git init`` is to pick up newly added - templates (or to move the repository to another place if - ``--separate-git-dir`` is given). - - The following git hooks are installed: - - 1. ``pre-commit``: Used to check if any of the files changed in the commit - use prohibited patterns. - 2. ``commit-msg``: Used to determine if a commit message contains a - prohibited patterns. - 3. ``prepare-commit-msg``: Used to determine if a merge commit will - introduce a history that contains a prohibited pattern at any point. - Please note that this hook is only invoked for non fast-forward merges. - - .. note:: - - Git only allows a single script to be executed per hook. If the - repository contains Debian-style subdirectories like ``pre-commit.d`` - and ``commit-msg.d``, then the git hooks will be installed into these - directories, which assumes that you've configured the corresponding - hooks to execute all of the scripts found in these directories. If - these git subdirectories are not present, then the git hooks will be - installed to the git repo's ``.git/hooks`` directory. - - -Examples -^^^^^^^^ - -Install git hooks to the current directory:: - - cd /path/to/my/repository - git secrets --install - -Install git hooks to a repository other than the current directory:: - - git secrets --install /path/to/my/repository - -Create a git template that has ``git-secrets`` installed, and then copy that -template into a git repository:: - - git secrets --install ~/.git-templates/git-secrets - git init --template ~/.git-templates/git-secrets - -Overwrite existing hooks if present:: - - git secrets --install -f - - -Options for ``--scan`` -~~~~~~~~~~~~~~~~~~~~~~ - -``-r, --recursive`` - Scans the given files recursively. If a directory is encountered, the - directory will be scanned. If ``-r`` is not provided, directories will be - ignored. - - ``-r`` cannot be used alongside ``--cached``, ``--no-index``, or - ``--untracked``. - -``--cached`` - Searches blobs registered in the index file. - -``--no-index`` - Searches files in the current directory that is not managed by git. - -``--untracked`` - In addition to searching in the tracked files in the working tree, - ``--scan`` also in untracked files. - -``...`` - The path to one or more files on disk to scan for secrets. - - If no files are provided, all files returned by ``git ls-files`` are - scanned. - - -Examples -^^^^^^^^ - -Scan all files in the repo:: - - git secrets --scan - -Scans a single file for secrets:: - - git secrets --scan /path/to/file - -Scans a directory recursively for secrets:: - - git secrets --scan -r /path/to/directory - -Scans multiple files for secrets:: - - git secrets --scan /path/to/file /path/to/other/file - -You can scan by globbing:: - - git secrets --scan /path/to/directory/* - -Scan from stdin:: - - echo 'hello!' | git secrets --scan - - - -Options for ``--list`` -~~~~~~~~~~~~~~~~~~~~~~ - -``--global`` - Lists only git-secrets configuration in the global git config. - - -Options for ``--add`` -~~~~~~~~~~~~~~~~~~~~~ - -``--global`` - Adds patterns to the global git config - -``-l, --literal`` - Escapes special regular expression characters in the provided pattern so - that the pattern is searched for literally. - -``-a, --allowed`` - Mark the pattern as allowed instead of prohibited. Allowed patterns are - used to filter our false positives. - -```` - The regex pattern to search. - - -Examples -^^^^^^^^ - -Adds a prohibited pattern to the current repo:: - - git secrets --add '[A-Z0-9]{20}' - -Adds a prohibited pattern to the global git config:: - - git secrets --add --global '[A-Z0-9]{20}' - -Adds a string that is scanned for literally (``+`` is escaped):: - - git secrets --add --literal 'foo+bar' - -Add an allowed pattern:: - - git secrets --add -a 'allowed pattern' - - -Options for ``--register-aws`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -``--global`` - Adds AWS specific configuration variables to the global git config. - - -Options for ``--aws-provider`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -``[]`` - If provided, specifies the custom path to an INI file to scan. If not - provided, ``~/.aws/credentials`` is assumed. - - -Options for ``--add-provider`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -``--global`` - Adds the provider to the global git config. - -```` - Provider command to invoke. When invoked the command is expected to write - prohibited patterns separated by new lines to stdout. Any extra arguments - provided are passed on to the command. - - -Examples -^^^^^^^^ - -Registers a secret provider with arguments:: - - git secrets --add-provider -- git secrets --aws-provider - -Cats secrets out of a file:: - - git secrets --add-provider -- cat /path/to/secret/file/patterns - - -Defining prohibited patterns ----------------------------- - -``egrep``-compatible regular expressions are used to determine if a commit or -commit message contains any prohibited patterns. These regular expressions are -defined using the ``git config`` command. It is important to note that -different systems use different versions of egrep. For example, when running on -macOS, you will use a different version of ``egrep`` than when running on something -like Ubuntu (BSD vs GNU). - -You can add prohibited regular expression patterns to your git config using -``git secrets --add ``. - - -Ignoring false positives ------------------------- - -Sometimes a regular expression might match false positives. For example, git -commit SHAs look a lot like AWS access keys. You can specify many different -regular expression patterns as false positives using the following command: - -:: - - git secrets --add --allowed 'my regex pattern' - -You can also add regular expressions patterns to filter false positives to a -``.gitallowed`` file located in the repository's root directory. Lines starting -with ``#`` are skipped (comment line) and empty lines are also skipped. - -First, git-secrets will extract all lines from a file that contain a prohibited -match. Included in the matched results will be the full path to the name of -the file that was matched, followed by ':', followed by the line number that was -matched, followed by the entire line from the file that was matched by a secret -pattern. Then, if you've defined allowed regular expressions, git-secrets will -check to see if all of the matched lines match at least one of your registered -allowed regular expressions. If all of the lines that were flagged as secret -are canceled out by an allowed match, then the subject text does not contain -any secrets. If any of the matched lines are not matched by an allowed regular -expression, then git-secrets will fail the commit/merge/message. - -.. important:: - - Just as it is a bad practice to add prohibited patterns that are too - greedy, it is also a bad practice to add allowed patterns that are too - forgiving. Be sure to test out your patterns using ad-hoc calls to - ``git secrets --scan $filename`` to ensure they are working as intended. - - -Secret providers ----------------- - -Sometimes you want to check for an exact pattern match against a set of known -secrets. For example, you might want to ensure that no credentials present in -``~/.aws/credentials`` ever show up in a commit. In these cases, it's better to -leave these secrets in one location rather than spread them out across git -repositories in git configs. You can use "secret providers" to fetch these -types of credentials. A secret provider is an executable that when invoked -outputs prohibited patterns separated by new lines. - -You can add secret providers using the ``--add-provider`` command:: - - git secrets --add-provider -- git secrets --aws-provider - -Notice the use of ``--``. This ensures that any arguments associated with the -provider are passed to the provider each time it is invoked when scanning -for secrets. - - -Example walkthrough -------------------- - -Let's take a look at an example. Given the following subject text (stored in -``/tmp/example``):: - - This is a test! - password=ex@mplepassword - password=****** - More test... - -And the following registered patterns: - -:: - - git secrets --add 'password\s*=\s*.+' - git secrets --add --allowed --literal 'ex@mplepassword' - -Running ``git secrets --scan /tmp/example``, the result will -result in the following error output:: - - /tmp/example:3:password=****** - - [ERROR] Matched prohibited pattern - - Possible mitigations: - - Mark false positives as allowed using: git config --add secrets.allowed ... - - List your configured patterns: git config --get-all secrets.patterns - - List your configured allowed patterns: git config --get-all secrets.allowed - - Use --no-verify if this is a one-time false positive - -Breaking this down, the prohibited pattern value of ``password\s*=\s*.+`` will -match the following lines:: - - /tmp/example:2:password=ex@mplepassword - /tmp/example:3:password=****** - -...But the first match will be filtered out due to the fact that it matches the -allowed regular expression of ``ex@mplepassword``. Because there is still a -remaining line that did not match, it is considered a secret. - -Because that matching lines are placed on lines that start with the filename -and line number (e.g., ``/tmp/example:3:...``), you can create allowed -patterns that take filenames and line numbers into account in the regular -expression. For example, you could whitelist an entire file using something -like:: - - git secrets --add --allowed '/tmp/example:.*' - git secrets --scan /tmp/example && echo $? - # Outputs: 0 - -Alternatively, you could allow a specific line number of a file if that -line is unlikely to change using something like the following: - -:: - - git secrets --add --allowed '/tmp/example:3:.*' - git secrets --scan /tmp/example && echo $? - # Outputs: 0 - -Keep this in mind when creating allowed patterns to ensure that your allowed -patterns are not inadvertently matched due to the fact that the filename is -included in the subject text that allowed patterns are matched against. - - -Skipping validation -------------------- - -Use the ``--no-verify`` option in the event of a false positive match in a -commit, merge, or commit message. This will skip the execution of the -git hook and allow you to make the commit or merge. - - -About ------- - -- Author: `Michael Dowling `_ -- Issue tracker: This project's source code and issue tracker can be found at - `https://github.com/awslabs/git-secrets `_ -- Special thanks to Adrian Vatchinsky and Ari Juels of Cornell University for - providing suggestions and feedback. - -Copyright 2015 Amazon.com, Inc. or its affiliates. All Rights Reserved.