Quan Zhou

It's quite usual that people push their credentials to a public git repo on the internet. What published is published, a push -f does not unpublish, and recovery isn't that obscure.

The Idea

There's no magic in finding secrets in your repo, a simple grepping with --recursive --ignore-case --only for common patterns for secrets will do the job, like grep -rio "begin private" will point out any offenders that have PEM secret keys.

For basics, have a list of regexes (or regexen?) in a .sh will do, and a bonus point for {push|commit}-hook.

Existing Tools

Instead of incubating our own, there are plenty of them on the Github.

awslab/git-secrets

It's just a well-documented shell document, with very basic functionality, but pretty easy to extend. Anyway, it just ships with aws rules.

apuigsech/git-seekret

A Golang implementation, bundled with a lot of common rules, sort of set and forget tool.

Yelp/detect-secrets-server

It's a server, as so told in the name. It's not really security, but a safety scanner, you'll know when there's a leak. Very useful for continued watching.

Extending git-secrets a bit

I would go for git-seekret if I wasn't already using git-secret.

I have added a few patterns to prevent DEBUG log and secrets from being commited:

# PRIVATE Keys
git secrets --global --add "\-+.*PRIVATE"
# Tokens
git secrets --global --add "(access|id|refresh)_token"
# Debug Logs
git secrets --global --add "\d{4}.\d{2}.\d{2}.\d{2}.\d{2}.\d{2}.\d+.(DEBUG|TRACE)"