LinuxCommandLibrary

git-secrets

TLDR

Install hooks in repository

$ git secrets --install
copy
Add AWS patterns
$ git secrets --register-aws
copy
Add custom pattern
$ git secrets --add '[pattern]'
copy
Scan repository
$ git secrets --scan
copy
Scan specific file
$ git secrets --scan [file.txt]
copy
List patterns
$ git secrets --list
copy

SYNOPSIS

git secrets command [options]

DESCRIPTION

git-secrets prevents committing secrets and credentials to Git repositories. It installs hooks that scan staged changes against configurable patterns before allowing commits.
The tool was created by AWS Labs to prevent accidental AWS credential commits. It supports custom patterns for other types of secrets.

PARAMETERS

--install

Install hooks in current repo.
--register-aws
Add AWS secret patterns.
--add pattern
Add forbidden pattern.
--add-allowed pattern
Add allowed pattern (exception).
--scan
Scan repository for secrets.
--scan-history
Scan entire commit history.
--list
List registered patterns.
--add-provider cmd
Add secret provider command.

CONFIGURATION

$ # Global installation
git secrets --install ~/.git-templates/git-secrets
git config --global init.templateDir ~/.git-templates/git-secrets

# Add patterns
git secrets --add 'password\s*=\s*.+'
git secrets --add-allowed 'password = "example"'
copy

CAVEATS

Must be installed per-repo or via templates. Only catches patterns, not all secrets. History scanning is slow on large repos. Consider tools like gitleaks for comprehensive scanning.

HISTORY

git-secrets was created by AWS Labs to prevent AWS credential leaks. It's one of several tools addressing the widespread problem of secrets accidentally committed to version control.

SEE ALSO

git(1), gitleaks(1), trufflehog(1), detect-secrets(1)

Copied to clipboard