-
-
Save czardoz/b8bb58ad10f4063209bd to your computer and use it in GitHub Desktop.
#!/usr/bin/env bash | |
if git rev-parse --verify HEAD >/dev/null 2>&1 | |
then | |
against=HEAD | |
else | |
# Initial commit: diff against an empty tree object | |
EMPTY_TREE=$(git hash-object -t tree /dev/null) | |
against=$EMPTY_TREE | |
fi | |
# Redirect output to stderr. | |
exec 1>&2 | |
# Check changed files for an AWS keys | |
FILES=$(git diff --cached --name-only $against) | |
if [ -n "$FILES" ]; then | |
KEY_ID=$(grep -E --line-number '[^A-Z0-9][A-Z0-9]{20}[^A-Z0-9]' $FILES) | |
KEY=$(grep -E --line-number '[^A-Za-z0-9/+=][A-Za-z0-9/+=]{40}[^A-Za-z0-9/+=]' $FILES) | |
if [ -n "$KEY_ID" ] || [ -n "$KEY" ]; then | |
exec < /dev/tty # Capture input | |
echo "=========== Possible AWS Access Key IDs ===========" | |
echo "${KEY_ID}" | |
echo "" | |
echo "=========== Possible AWS Secret Access Keys ===========" | |
echo "${KEY}" | |
echo "" | |
while true; do | |
read -p "[AWS Key Check] Possible AWS keys found. Commit files anyway? (y/N) " yn | |
if [ "$yn" = "" ]; then | |
yn='N' | |
fi | |
case $yn in | |
[Yy] ) exit 0;; | |
[Nn] ) exit 1;; | |
* ) echo "Please answer y or n for yes or no.";; | |
esac | |
done | |
exec <&- # Release input | |
fi | |
fi | |
# Normal exit | |
exit 0 |
This come up for me on google, but the KEY
regexp doesn't really work well for me -- even if you get it not false-negativing too much, just 40 chars in a row of [A-Za-z0-9/+=]
was matching on lots of false positives in my source, like URLs that happened to have components of the right length and such.
So.... I went and looked what git-secrets does. I didn't really want to use git-secrets, I just wanted a simple little script... so I kind of mashed the regexp git-secrets uses by default for AWS_SECRET_KEY_ID -- which looks for the variable name on the line too -- with this script, and did this:
(per 1311543 above, that's not a use-case I care about. This is for preventing devs from accidentally committing keys, not catching people "trying to hide" them).
great! but it fails when you try to hide credentials for example AKIA4GQAF5DFSF2MM you add 112312312 at the end of the keyid add numbers and it fails.