Can I just configure GitHub, GitLab, Bitbucket, etc. to prevent secrets being allowed?
git
as a command line program supports server side pre-receive
hooks. However, these hooks are only
supported on self-hosted git repositories, usually under the "Enterprise" offerings.
Instead minnie-kenny.sh
can be used to setup a shareable git secrets
configuration, significantly reducing the
chance that secrets will be pushed to your publicly hosted git repository.
Can minnie-kenny.sh
install git secrets
automatically?
Not currently. Like git
, git secrets
must be installed manually once per system. Once the program is available on
the $PATH
, minnie-kenny.sh
will ensure that the pre-commit hooks are configured correctly.
To install git secrets
, follow the installation instructions in the git secrets
readme.
Even though I added allowed
entries why am I getting false positives when git secrets
runs on BusyBox / Alpine?
Alpine, the tiny linux distribution based on
BusyBox, includes a non-standard grep
by default. This causes an issue where allowed
expressions are not processed by git secrets
.
git secrets
loads the allowed statements into
a multiline string. This string is then fed as the filter to grep -v
. The POSIX manual states
that:
The pattern_list's value shall consist of one or more patterns separated by
characters Since a <newline> separates or terminates patterns (see the -e and -f options below), regular expressions cannot contain a <newline>.
-v Select lines not matching any of the specified pattern
On ubuntu we see that bar
is successfully excluded via a multiline expression:
$ docker run --rm ubuntu sh -c \
"printf 'foo\nbar\nbaz' | grep -Ev \"\$(printf 'line1\nbar')\""
foo
baz
$
However on alpine and busybox the bar
still ends up in the output:
$ docker run --rm busybox sh -c \
"printf 'foo\nbar\nbaz' | grep -Ev \"\$(printf 'line1\nbar')\""
foo
bar
baz
$
A workaround is to install GNU grep before using
git secrets
:
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/main/x86_64/APKINDEX.tar.gz
$ docker run --rm alpine sh -c \
"apk update && apk add grep &&
printf 'foo\nbar\nbaz' | grep -Ev \"\$(printf 'line1\nbar')\""
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/community/x86_64/APKINDEX.tar.gz
v3.10.1-110-g1e85ba7cf4 [http://dl-cdn.alpinelinux.org/alpine/v3.10/main]
v3.10.1-110-g1e85ba7cf4 [http://dl-cdn.alpinelinux.org/alpine/v3.10/community]
OK: 10337 distinct packages available
(1/2) Installing pcre (8.43-r0)
(2/2) Installing grep (3.3-r0)
Executing busybox-1.30.1-r2.trigger
OK: 6 MiB in 16 packages
foo
baz
$
git secrets
already requires bash
to run, so adding GNU's grep shouldn't be much more of an addition.
How do I uninstall minnie-kenny.sh
/ git secrets
?
minnie-kenny.sh
invokes git secrets --install
to add the github hooks, and configures the .git/config
to read from
minnie-kenny.gitconfg
. To remove the configurations that minnie-kenny.sh
has installed:
To remove the minnie-kenny.sh
setup per repository:
- edit the
.git/config
:- remove the
[secrets]
stanza - remove the
[include]
forminnie-kenny.sh
- remove the
- remove any calls to
git secrets
in the hooks:.git/hooks/commit-msg
.git/hooks/pre-commit
.git/hooks/prepare-commit-msg
To remove git-secrets
from your system remove these things:
- the
git secrets
script, usually installed at/usr/local/bin/git-secrets
- the
git secrets
man page, usually installed at/usr/local/share/man/man1/git-secrets.1