Comments (4)
This is happening for me too!
from git-secrets.
I also had a bit of difficulty with this. I assumed it would work out-of-thebox, but git secrets
appears not to work out-of-the-box. You need to register patterns for it to match against. See https://github.com/awslabs/git-secrets#example-walkthrough
There's also a convenient command for registering AWS patterns. For example:
➜ cat aws_creds.txt
[foo]
aws_access_key_id=AKIA1111
aws_secret_access_key=AaaAAaA3aaaaAaaAa1aaaAAaa22CBAAAaaa1a1aa
➜ secret_test git:(main) git secrets --install
➜ secret_test git:(main) cat .git/hooks/commit-msg
#!/usr/bin/env bash
git secrets --commit_msg_hook -- "$@"
➜ secret_test git:(main) git secrets --register-aws
OK
➜ secret_test git:(main) git secrets --scan-history
d6e2b4ab97b6ce61427e1f24a091f28f2eda739d:aws_creds.txt:3:aws_secret_access_key=AaaAAaA3aaaaAaaAa1aaaAAaa22CBAAAaaa1a1aa
[ERROR] Matched one or more prohibited patterns
from git-secrets.
For scan the current branch content I used this command (inside the git repository):
git-secrets --scan
Take in mind that this command will scan all the files that can be listed with this command (it shown in the documentation):
git ls-files
If you want to scan raw files you need to specify a path like:
git-secrets --scan /foo/bar
Here you can find the specific documentation for your case:
https://github.com/awslabs/git-secrets?tab=readme-ov-file#examples-1
In my case, I start customizing some patterns, I can share with your some patterns that I'm using:
patterns.allowed
# Pattern list to be allowed by git-secrets
(//|#)\s\bgit-secrets\b:\s.*$
(http|https):\/\/.*[0-9a-zA-Z_-]{34,40}.*
^(README.md|LICENSE):.*
^(.pylintrc|.yamllint|.editorconfig|.gitignore):.*
^.git-secrets.(allowed|prohibited):.*
patterns.prohibited
# Pattern list to be prohibited by git-secrets
# Gitlab token
\bglpat-[0-9a-zA-Z=_-]{20,22}\b
# Gitea / Cloudflare token
\b[0-9a-zA-Z_-]{40}\b
# OpenSSL certificates and private keys
\-{5}(BEGIN|END)\s(CERTIFICATE|PRIVATE KEY)-{5}
# Private openssh keys
\-{5}(BEGIN|END)\sOPENSSH\sPRIVATE\sKEY-{5}
# Jenkins token
\b[0-9a-zA-Z_-]{34}\b
# Sendgrid token
\bSG\.[a-zA-Z0-9_-]{20,24}\.[a-zA-Z0-9_-]{39,50}\b
# Basic authentication
(http|https):\/\/[0-9a-zA-Z_-]+\:[0-9a-zA-Z_-]+\@.*
Maybe so many of there can be improved but with this you can start to play :-), best regards.
from git-secrets.
Hello,
I have a similar issue. I created a test repository with git init
'd and git add
'd the following file :
$ cat secrets.default
DATABASE_USERNAME=root
DATABASE_PASSWORD=root
APP_KEYS="appkey1,appkey2"
JWT_SECRET=secretjwt
NEWPROJECT_AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
NEWPROJECT_AWS_ACCESS_SECRET=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
$ git ls-files
secrets.default
I then install git secrets for the repo :
$ git secrets --install
✓ Installed commit-msg hook to .git/hooks/commit-msg
✓ Installed pre-commit hook to .git/hooks/pre-commit
✓ Installed prepare-commit-msg hook to .git/hooks/prepare-commit-msg
$ git secrets --register-aws
OK
Now, when I check the pattern registered, nothing happens :
$ git secrets --list
$ echo $?
1
I point out that i git secrets --install
'd and git secrets --register-aws
'd on a another (real) project, which worked for registering patterns. But then git secrets --scan
did not work :
$ cat secrets.default | egrep "AWS_ACCESS_KEY_ID|PASSWORD"
DATABASE_PASSWORD=root
REDACTED_AWS_ACCESS_KEY_ID=AKIA1111
$ git secrets --list
secrets.providers git secrets --aws-provider
secrets.patterns (A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}
secrets.patterns ("|')?(AWS|aws|Aws)?_?(SECRET|secret|Secret)?_?(ACCESS|access|Access)?_?(KEY|key|Key)("|')?\s*(:|=>|=)\s*("|')?[A-Za-z0-9/\+=]{40}("|')?
secrets.patterns ("|')?(AWS|aws|Aws)?_?(ACCOUNT|account|Account)_?(ID|id|Id)?("|')?\s*(:|=>|=)\s*("|')?[0-9]{4}\-?[0-9]{4}\-?[0-9]{4}("|')?
secrets.allowed AKIAIOSFODNN7EXAMPLE
secrets.allowed wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
secrets.patterns password\s*=\s*.+
secrets.patterns PASSWORD\s*=\s*.+
$ git secrets --scan
$ echo $?
0
Your project seems great and very helpful for achieving cybersecurity in AWS projects 👍. Please let me know if I can be of any help to improve it,
from git-secrets.
Related Issues (20)
- AWS patterns seem to match everything HOT 1
- Provide a warning and remediation suggestion when NO secret patterns are defined
- Add support for a configuration file that can contain the patterns, etc. and be included in the repo is desired. HOT 1
- Github Actions HOT 2
- grep: warning: stray \ before - HOT 1
- Error : Custom secret provider detection patterns aren't loaded when executing git secrets on windows. HOT 3
- Installation fails without a terminal HOT 9
- Secret rules being applied to unstaged files
- `say` command during install should be removed or made configurable by flag HOT 6
- /usr/local/bin/git-secrets: line 208: say: command not found HOT 1
- custom patterns wont work HOT 4
- Problem with file HEAD.secret HOT 1
- How to pass multiple patterns in .gitallowed file HOT 1
- `git-secrets --install` test failures without code changes
- Add a test for PRs that change README without updating the man page HOT 1
- Add *hashed* file version to .gitallowed? So future changes get caught containing secrets again HOT 1
- Java Key Store files
- How to allow aws account numbers with .gitallowed HOT 1
- .gitconfig file has universal read perms - should be restricted to current user
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from git-secrets.