Skip to content

Instantly share code, notes, and snippets.

@czardoz
Last active October 3, 2022 12:13
Show Gist options
  • Save czardoz/b8bb58ad10f4063209bd to your computer and use it in GitHub Desktop.
Save czardoz/b8bb58ad10f4063209bd to your computer and use it in GitHub Desktop.
Git pre-commit hook that checks for AWS keys
#!/usr/bin/env bash
if git rev-parse --verify HEAD >/dev/null 2>&1
then
against=HEAD
else
# Initial commit: diff against an empty tree object
EMPTY_TREE=$(git hash-object -t tree /dev/null)
against=$EMPTY_TREE
fi
# Redirect output to stderr.
exec 1>&2
# Check changed files for an AWS keys
FILES=$(git diff --cached --name-only $against)
if [ -n "$FILES" ]; then
KEY_ID=$(grep -E --line-number '[^A-Z0-9][A-Z0-9]{20}[^A-Z0-9]' $FILES)
KEY=$(grep -E --line-number '[^A-Za-z0-9/+=][A-Za-z0-9/+=]{40}[^A-Za-z0-9/+=]' $FILES)
if [ -n "$KEY_ID" ] || [ -n "$KEY" ]; then
exec < /dev/tty # Capture input
echo "=========== Possible AWS Access Key IDs ==========="
echo "${KEY_ID}"
echo ""
echo "=========== Possible AWS Secret Access Keys ==========="
echo "${KEY}"
echo ""
while true; do
read -p "[AWS Key Check] Possible AWS keys found. Commit files anyway? (y/N) " yn
if [ "$yn" = "" ]; then
yn='N'
fi
case $yn in
[Yy] ) exit 0;;
[Nn] ) exit 1;;
* ) echo "Please answer y or n for yes or no.";;
esac
done
exec <&- # Release input
fi
fi
# Normal exit
exit 0
@smclauch
Copy link

I had some problems with this using Git under Windows - the problem turned out to be that the regex wasn't matching a key that ended with an end-of-line (which I imagine is fairly common). I got it working by changing the regexes as follows:

    KEY_ID=$(grep -E --line-number '\b[A-Z0-9]{20}\b' $FILES)
    KEY=$(grep -E --line-number '[^A-Za-z0-9/+=][A-Za-z0-9/+=]{40}(\b|[^A-Za-z0-9/+=])' $FILES) 

@czardoz
Copy link
Author

czardoz commented Feb 15, 2016

@smclauch, the KEY_ID regex you have only matches 20 characters, right?

@smclauch
Copy link

Yes - the problem with the orignal regex is that [^A-Z0-9] doesn't match EOL (at least not on Windows).

@1311543
Copy link

1311543 commented Dec 18, 2019

great! but it fails when you try to hide credentials for example AKIA4GQAF5DFSF2MM you add 112312312 at the end of the keyid add numbers and it fails.

@jrochkind
Copy link

jrochkind commented Feb 4, 2021

This come up for me on google, but the KEY regexp doesn't really work well for me -- even if you get it not false-negativing too much, just 40 chars in a row of [A-Za-z0-9/+=] was matching on lots of false positives in my source, like URLs that happened to have components of the right length and such.

So.... I went and looked what git-secrets does. I didn't really want to use git-secrets, I just wanted a simple little script... so I kind of mashed the regexp git-secrets uses by default for AWS_SECRET_KEY_ID -- which looks for the variable name on the line too -- with this script, and did this:

https://github.com/sciencehistory/scihist_digicoll/blob/aaf57ee373ad568b1b772c0c6bd7645b5deb7e2b/.githooks/pre-commit

(per 1311543 above, that's not a use-case I care about. This is for preventing devs from accidentally committing keys, not catching people "trying to hide" them).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment