Last active
October 3, 2022 12:13
-
-
Save czardoz/b8bb58ad10f4063209bd to your computer and use it in GitHub Desktop.
Git pre-commit hook that checks for AWS keys
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| if git rev-parse --verify HEAD >/dev/null 2>&1 | |
| then | |
| against=HEAD | |
| else | |
| # Initial commit: diff against an empty tree object | |
| EMPTY_TREE=$(git hash-object -t tree /dev/null) | |
| against=$EMPTY_TREE | |
| fi | |
| # Redirect output to stderr. | |
| exec 1>&2 | |
| # Check changed files for an AWS keys | |
| FILES=$(git diff --cached --name-only $against) | |
| if [ -n "$FILES" ]; then | |
| KEY_ID=$(grep -E --line-number '[^A-Z0-9][A-Z0-9]{20}[^A-Z0-9]' $FILES) | |
| KEY=$(grep -E --line-number '[^A-Za-z0-9/+=][A-Za-z0-9/+=]{40}[^A-Za-z0-9/+=]' $FILES) | |
| if [ -n "$KEY_ID" ] || [ -n "$KEY" ]; then | |
| exec < /dev/tty # Capture input | |
| echo "=========== Possible AWS Access Key IDs ===========" | |
| echo "${KEY_ID}" | |
| echo "" | |
| echo "=========== Possible AWS Secret Access Keys ===========" | |
| echo "${KEY}" | |
| echo "" | |
| while true; do | |
| read -p "[AWS Key Check] Possible AWS keys found. Commit files anyway? (y/N) " yn | |
| if [ "$yn" = "" ]; then | |
| yn='N' | |
| fi | |
| case $yn in | |
| [Yy] ) exit 0;; | |
| [Nn] ) exit 1;; | |
| * ) echo "Please answer y or n for yes or no.";; | |
| esac | |
| done | |
| exec <&- # Release input | |
| fi | |
| fi | |
| # Normal exit | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This come up for me on google, but the
KEYregexp doesn't really work well for me -- even if you get it not false-negativing too much, just 40 chars in a row of[A-Za-z0-9/+=]was matching on lots of false positives in my source, like URLs that happened to have components of the right length and such.So.... I went and looked what git-secrets does. I didn't really want to use git-secrets, I just wanted a simple little script... so I kind of mashed the regexp git-secrets uses by default for AWS_SECRET_KEY_ID -- which looks for the variable name on the line too -- with this script, and did this:
https://github.com/sciencehistory/scihist_digicoll/blob/aaf57ee373ad568b1b772c0c6bd7645b5deb7e2b/.githooks/pre-commit
(per 1311543 above, that's not a use-case I care about. This is for preventing devs from accidentally committing keys, not catching people "trying to hide" them).