Stop Committing Secrets

A simple way to prevent leaking sensitive data via git repositories

Do you ever get a bad feeling when committing and pushing to GitHub or similar platforms? If your answer is no, you probably should. Unless you have something in place that prevents you from committing secrets.

By secrets I mean passwords, API keys, and other credentials that are meant to stay confidential. Once you commit a secret it stays in the git history forever and there’s a high chance it will eventually get exposed and possibly misused. This is especially true for public repositories, which are continuously scanned by automated tools searching for leaked secrets. But don’t assume that committing secrets is safe when the repo is private. Repositories can be made public later, files get copied, backups leak, and hosting platforms can be compromised.

Ok, so how to prevent committing secrets? The obvious way is to manually check your changes and think twice before committing. But humans are fallible and thus can benefit from tools and automation. Here’s a setup to run gitleaks and trufflehog on each commit in any of your git repos:

1. Install gitleaks and trufflehog.

2. Add this to your ~/.gitconfig:

[core]
    # Hooks in this folder apply to all repositories 
    # without requiring any per-repository setup.
    hooksPath = ~/.git-hooks

3. Create ~/.git-hooks/pre-commit:

#!/bin/bash
# Detect leaked secrets that are about to be committed.

if [ "$SKIPLEAKS" == true ]; then
    echo WARNING: skipping leaked secrets detection ...
    exit 0
fi

set -xe

gitleaks protect --no-banner --staged --verbose

trufflehog git file://. --since-commit HEAD --results=verified,unknown --fail

If, for some good reason, you want to skip leaks detection when committing:

$ SKIPLEAKS=true git commit -m "commit message"