Last active
March 12, 2021 18:38
-
-
Save saliceti/7eb0ba0bb5ed875df515 to your computer and use it in GitHub Desktop.
Git pre-commit hook to check for AWS keys
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # Install globally using https://coderwall.com/p/jp7d5q/create-a-global-git-commit-hook | |
| # The checks are simple and can give false positives. Amend the hook in the specific repository. | |
| if git rev-parse --verify HEAD >/dev/null 2>&1 | |
| then | |
| against=HEAD | |
| else | |
| # Initial commit: diff against an empty tree object | |
| EMPTY_TREE=$(git hash-object -t tree /dev/null) | |
| against=$EMPTY_TREE | |
| fi | |
| # Redirect output to stderr. | |
| exec 1>&2 | |
| # Check changed files for an AWS keys | |
| FILES=$(git diff --cached --name-only $against) | |
| if [ -n "$FILES" ]; then | |
| KEY_ID=$(grep -rE --line-number '(^|[^A-Za-z0-9/+=])AKIA[A-Z0-9]{16}($|[^A-Za-z0-9/+=])' $FILES) | |
| KEY=$(grep -rE --line-number '(^|[^A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}($|[^A-Za-z0-9/+=])' $FILES) | |
| if [ -n "$KEY_ID" ] || [ -n "$KEY" ]; then | |
| exec < /dev/tty # Capture input | |
| echo "=========== Possible AWS Access Key IDs ===========" | |
| echo "${KEY_ID}" | |
| echo "" | |
| echo "=========== Possible AWS Secret Access Keys ===========" | |
| echo "${KEY}" | |
| echo "" | |
| while true; do | |
| read -p "[AWS Key Check] Possible AWS keys found. Commit files anyway? (y/N) " yn | |
| if [ "$yn" = "" ]; then | |
| yn='N' | |
| fi | |
| case $yn in | |
| [Yy] ) exit 0;; | |
| [Nn] ) exit 1;; | |
| * ) echo "Please answer y or n for yes or no.";; | |
| esac | |
| done | |
| exec <&- # Release input | |
| fi | |
| fi | |
| # Normal exit | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment