This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.
Hello Everyone! Today I would like to share with you a very important security topic. Did you ever push password or secrets creds to GitHub by accident? Did you ever wish if there is a way to block your commit or warning you that there are sensitive creds in your code?
Today many developers and Open-Source communities use GitHub to collaborate and store their code. There are many security best practice articles already published and we can find it easy by any search engine. I am not going to talk about best practice today.
I would like to talk about a specific case scenario. Assuming as a developer and you structure your .gitignore and your code and everything looks great however maybe by an accident an important file with Azure creds was saved or placed in your repo and You are not aware of the file is there. You may think it is not real scenario or it is difficult to happen. In this case you maybe interested to read this article
Now since the .gitignore file does not know about it, this sensitive file will sneak into your public repo during the commit and push process. Or Maybe to you missed structuring .gitignore and now your local.settings.json, .env that contains hardcoded secrets creds will be pushed to your rep. Would be nice if git warns you before you do commit?
I would introduce git-secrets, It is an open-source project that helps to prevent you from committing passwords and other sensitive information into git repo. The plugin supports Azure, AWS, and GCP.
git-secrets scans commit, to prevent adding secrets into your git repositories. If a commit, commit message, or any commit in a --no-ff merge history matches one of your configured prohibited regular expression patterns, then the commit is rejected.
Installing git-secrets
git-secrets must be placed somewhere in your PATH so that it is picked up by git when running git secrets.
You can use the install target of the provided Makefile to install git secrets and the man page. You can customize the install path using the PREFIX and MANPREFIX variables.
Installing git hooks
You MUST install the git hooks for every repo that you wish to use with git secrets --install.
Here's a quick example of how to register Azure provider:
You can also install another provider like AWS and GPC
Before making public a repository
With git-secrets is also possible to scan a repository including all revisions:
Examples
Let assume we have repo and it has sensitive creds and we are going to commit it. Let's see what will happen when we use git-secrets hook.
As you see, the plugin scanned the code and found many sensitive creds patterns that is hardcoded like Tenant_ID, SubscriptionID, ClientID, Client key, Private Certs, Azure services endpoint for blob, table, SAS token..etc
Fantasics!!!! Now we have chance to review our code again and make the necessary change to keep our creds safe and secure and our code clean.
Conclusion
Using git-secrets hook is the first line of defense against leaking sensitive creds into the github
If you would like to know more about the tool please visit my repo git-secrets