Secret keys in your code ? Worry no more

Sandeep GokhaleSandeep Gokhale
4 min read

Security Breach

Did you know, 82% of breaches involve a human element like social attacks, errors, or misuse, with many originating from developers by accidentally exposing sensitive information like passwords, keys or secrets.

The average cost of a data breach in 2023 is $4.45 million, a 15% increase over the past 3 years. - IBM

Many of the biggest breaches stem from seemingly small mistakes, like leaving an API key or password exposed. With cyberattacks happening at an alarming frequency, the security of your codebase is no longer optional—it’s essential.

Imagine this

A developer by mistake, commits an API key or password to your public/private repository. This is enough to open the floodgates to security breaches, leaving your entire project vulnerable. Once that sensitive data is exposed, the consequences can be swift and severe:

  • Immediate Exploitation

  • Service Disruptions

  • Unmet Compliance

  • Financial Losses

  • Reputational Damage and what not.

Be Safe, Not Sorry

It’s far easier to avoid exposing secrets in the first place than to deal with the “after effects“ of a breach. With 10X developers, fail fast methodology, the pace at which “modern” development happens (Not to mention copy/pasted AI code), it’s easy to commit a secret to the repo unless there is a non human way to prevent it. This is where tools shine.


Git Secrets - Open Source Tool

Git Secrets, a simple yet powerful way to make sure you're never caught off-guard by an exposed credential. It’s a “preventive” way that ensures the security of your code, saving you from costly mistakes and the potentially devastating consequences of a breach. Knowing how Git Hooks work will make everything easier.


Pre requisites

  1. A Git repository

  2. Knowledge to run scripts on Gitbash or Powershell


Easy to Install and Use

Installing Git Secrets is straight forward. Their GitHub Repository documentation is decent and easy to follow.



1. Clone the Repo
https://github.com/awslabs/git-secrets


2. Install Git Secret.

    For Windows: Use Powershell as admin and run the below commands.
        1. Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
        2. ./install.ps1

    For Linux: It's just make install. Check the git repo for more details. 


3. Start Using Git Secret.

    Navigate to the place where your code is present & Install as shown below.

    cd /path/to/repo
    git secrets --install
    git secrets --register-aws 
    // The above command will ensure AWS related secrets are not pushed.


4. Add Hooks

    git secrets --install ~/.git-templates/git-secrets
    git config --global init.templateDir ~/.git-templates/git-secrets


5. Adds a prohibited pattern to the current repo:

    git secrets --add 'password\s*=\s*.+'

    // The above line ensures that no code that has `password=` is pushed. 
    // It will fail during the commit phase until the line is changed/removed.


6. In case you want to allow some dummy text after = instead of blocking it completely, use the below command

    git secrets --add --allowed --literal 'ex@mplepassword'.
    Now, password='ex@mplepassword', will be accepted.

Run a Scan

Once installation/setup is completed, we can run a scan to check if the codebase exposes any secrets. Goes without saying but you will need to know “how” secrets are defined in your application.

I highly recommend to test Git Secrets via a Scan before making it live and enabling it for all users.

git secrets --scan // This scans files in a repo that are tracked by git.

git secrets --scan --untracked // scans tracked/untracked git files.

git secrets --scan /path/to/file // scans a single file.

git secrets --scan -r /path/to/directory // Scans a directory recursively

How to Test

After the initial setup/installation, every time a developer tries to commit to the git repo, the check will automatically happen and any secrets being pushed to the repository will be prevented.


Try it today

By setting up Git Secrets at both the repository and individual developer levels, we can easily add an important layer of protection that will help safeguard your project secrets. The return on invest is massive with Git Secrets with its easy of installation and Implementation.

Don’t wait for a breach to happen - Make security a natural part of your development process.


Thank You

If you have reached so far, congratulations. Please feel free to share your thoughts via the comments.


Let's Connect

Feel free to connect with me on LinkedIn and Twitter if you have any questions.

Until Next time!

0
Subscribe to my newsletter

Read articles from Sandeep Gokhale directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Sandeep Gokhale
Sandeep Gokhale