Foolproof Method to Not Push Unencrypted Secrets into Git
Quick fix to prevent committing secrets into your Git repository
The problem
It’s a frequent problem that every developer faced: committing secrets into your Git repositories.
Once a secret has been pushed to a remote repository, you are doomed to execute a gruesome procedure to clear it. The best way to deal with the problem is to prevent it entirely.
Lots of solutions exist to address the problem: AWS git-secrets, git-secret or even a dedicated SonarQube plugin. Apart from the manifest lack of imagination in finding a meaningful name for these solutions 😘 you sometimes only want a simple and quick fix.
No Brainer 5 Minutes Solution
Most of these full-blown solution work by installing themselves as Git client hooks. But it’s really simple to write a tailored hook for dealing with exactly what you need.
In my case, I only want to prevent unencrypted secrets from being pushed to the repository. To elaborate, I encode some secrets using sops and I want to check before each commit that all my secrets are properly encrypted.
These secrets all share a naming convention and live in specific folders. Writing the pre-commit hook is straightforward.
You put this script in the .git/hooks/pre-commit file. If this script returns 0 the commit is authorized else it is aborted.
Let’s test it. First, we check that nothing changed when all secrets are properly encrypted.
No problem here. Now let’s decrypt this file and try to commit it:
Everything is working fine! No more committed secrets. Sometimes 5 minutes is enough to prevent security headache and spare a lot of time later 🎉
👋 Join FAUN today and receive similar stories each week in your inbox! ️ Get your weekly dose of the must-read tech stories, news, and tutorials.
Follow us on Twitter 🐦 and Facebook 👥 and Instagram 📷 and join our Facebook and Linkedin Groups 💬
