https://github.com/alextanhongpin/git-secure
Examples on how to prevent committing secrets to repos
https://github.com/alextanhongpin/git-secure
regex security token
Last synced: 11 months ago
JSON representation
Examples on how to prevent committing secrets to repos
- Host: GitHub
- URL: https://github.com/alextanhongpin/git-secure
- Owner: alextanhongpin
- Created: 2018-03-04T16:04:14.000Z (over 8 years ago)
- Default Branch: master
- Last Pushed: 2018-03-12T02:28:51.000Z (over 8 years ago)
- Last Synced: 2025-01-29T21:54:20.983Z (over 1 year ago)
- Topics: regex, security, token
- Language: Java
- Size: 6.84 KB
- Stars: 1
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Git Secrets
Adding Git Secrets to your workflow helps to prevent accidental commit of your credentials to your repo, whether it is your AWS, Facebook, or Twitter. You can also add custom regex to prevent other types of credentials such as password from being committed.
## Installation
```bash
$ brew install git-secrets
```
## Setup
```bash
# Go to your repository
$ cd /path/to/repo
# Setup git secrets
$ git secrets --install
```
Output:
```bash
✓ Installed commit-msg hook to .git/hooks/commit-msg
✓ Installed pre-commit hook to .git/hooks/pre-commit
✓ Installed prepare-commit-msg hook to .git/hooks/prepare-commit-msg
```
## Adding AWS Provider
Installing this provider will check against your local `.aws/credentials` to ensure none of them are accidentally committed to the repository. Note that this does not work if you do not have your AWS Credentials stored on your device. To handle that, we will add custom regex in the next step.
```bash
$ git secrets --add-provider -- git secrets --aws-provider
```
## Adding Other Providers
This will add regex to match the *api keys* or *api secrets* from other providers such as Amazon, Bitly, Facebook, Flickr, Foursquare, LinkedIn, Twitter. It will also check against password (just plain regex).
```bash
git secrets --add 'password\s*=\s*.+'
git secrets --add 'AWS AKIA[0-9A-Z]{16}'
git secrets --add '[0-9a-zA-Z/+]{20}'
git secrets --add '[0-9a-zA-Z/+]{40}'
git secrets --add '[0-9a-zA-Z_]{5,31} '
git secrets --add 'R_[0-9a-f]{32}'
git secrets --add '[0-9]{13,17} '
git secrets --add '[0-9a-f]{32}'
git secrets --add '[0-9a-f]{16}'
git secrets --add '[0-9A-Z]{48}'
git secrets --add '[0-9a-z]{12} '
git secrets --add '[0-9a-zA-Z]{16}'
git secrets --add '[0-9a-zA-Z]{18,25} '
git secrets --add '[0-9a-zA-Z]{35,44}'
```
## Validate
There are two Java files and one `.env` file that contains the sensitive credentials. To validate that Git Secrets is running, you can either scan the commits:
```bash
$ git secrets --scan -r
```
Or just commit as usual:
```bash
$ git commit -S -am 'chore: commit password'
```
Output:
```
.env:1:aws_access_key_id = AKIAEXAMPLEFAKT30KEN
.env:2:aws_secret_access_key = AbcdEfg41jklMnop99rstuvwxy//4ZoP01mLOFabc
Amazon.java:1:String ACCESS_KEY_ID = "AKIA2E0A8F3B244C9986";
Amazon.java:2:String SECRET_KEY = "7CE556A3BC234CC1FF9E8A5C324C0BB70AA21B6D";
Amazon.java:4:AWSCredentials creds = new BasicAWSCredentials(ACCESS_KEY_ID, SECRET_KEY);
Amazon.java:5:AmazonSimpleDBClient client = new AmazonSimpleDBClient(creds);
Facebook.java:1:OAuthClientRequest request = OAuthClientRequest
Facebook.java:2: .tokenProvider(OAuthProviderType.FACEBOOK)
Facebook.java:3: .setGrantType(GrantType.AUTHORIZATION_CODE)
Facebook.java:4: .setClientId("950513172001321")
Facebook.java:5: .setClientSecret("3b2e464637e5159024254dd78aadb17a")
Facebook.java:6: .setRedirectURI("http://localhost:8080/facebooklogin")
Facebook.java:7: .setCode(code)
Facebook.java:8: .buildQueryMessage();
[ERROR] Matched one or more prohibited patterns
Possible mitigations:
- Mark false positives as allowed using: git config --add secrets.allowed ...
- Mark false positives as allowed by adding regular expressions to .gitallowed at repository's root directory
- List your configured patterns: git config --get-all secrets.patterns
- List your configured allowed patterns: git config --get-all secrets.allowed
- List your configured allowed patterns in .gitallowed at repository's root directory
- Use --no-verify if this is a one-time false positive
```
## Explanation on Amazon Regex
- Search for *access key IDs*: `(?
```
## Other providers
Regex for matching other keys:
| Service Provider | Client ID | Secret Key |
| -- | -- | -- |
| Amazon | AWS AKIA[0-9A-Z]{16} | [0-9a-zA-Z/+]{40} |
| Bitly | [0-9a-zA-Z_]{5,31} | R_[0-9a-f]{32}|
| Facebook | [0-9]{13,17} | [0-9a-f]{32}|
| Flickr | [0-9a-f]{32} | [0-9a-f]{16}|
| Foursquare | [0-9A-Z]{48} | [0-9A-Z]{48}|
| LinkedIn | [0-9a-z]{12} | [0-9a-zA-Z]{16}|
| Twitter | [0-9a-zA-Z]{18,25} | [0-9a-zA-Z]{35,44}|
## Other Tools
### TruffleHog
```bash
$ pip install truffleHog
$ truffleHog --regex --entropy=False https://github.com/dxa4481/truffleHog.git
# Example on this repo
$ truffleHog --regex --entropy=False https://github.com/alextanhongpin/git-secure.git
```
### Git Hound
Requires golang.
```bash
$ go get github.com/ezekg/git-hound
```
Usage:
```bash
# Sniff changes since last commit
$ git hound sniff HEAD
# Sniff entire codebase
$ git hound sniff
# Sniff entire repo history
$ git log -p | git hound sniff
```
## Reference:
- https://people.eecs.berkeley.edu/~rohanpadhye/files/key_leaks-msr15.pdf