Prevent Secrets from Committing to Repos

Question

Hey I have been working on a solution to prevent secrets from committing to VCS repos, so far have prevented 10+ AWS keys from accidentally being committed. Github has an offering but it's very costly for our team. Does anyone of you want to try out ?

maxcomperatore · Accepted Answer

1) secrets in code are a symptom of broken dev culture not just tooling. fix the culture first, train devs early on using environment variables and iam roles. make secrets invisible to code.
2( relying on gitignore or vaults alone is band-aid. sdk picks up creds from environment or home dir automatically if you use aws properly.
3) automate secret scans in ci but dont trust them blindly, human reviews and rotating keys asap is still critical.
4) biggest risk is devs rushing and skipping processes, so build workflows that make mistakes obvious and costly to push.
5) at scale, even perfect tech fails without good process + education. focus there and tools become backup not main defense.
this mindset saves time and downtime. secrets leaks cost more than any fancy tool subscription.

ChrisGermano · Answer

My team has faced issues like this and other than ensuring any secrets are removed from your code and stored in a .gitignore'd config file (if you really need them to live so close to the codebase in the first place), you need to prioritize that everything goes through proper PRs, privacy/access is properly configured, and any compromised secrets are rotated immediately. We have some tools like Snyk and Trufflehog but even those don't catch a lot of things - human review is best.

scarface_74 · Answer

Why are AWS keys anywhere near your code in the first place?

For instance in Python, you initialize an object using

    boto3.client(“s3”)

When you use IAM identity center, you get temporary access keys which you assign to environment variables and the keys are automatically picked up.

Even if you use “aws configure” and have long lasting keys (don’t do that), your keys will be stored in your home directory, nowhere near your repository and still usable locally.

When running your code on AWS, whatever you are using to run it on will get permission from the IAM role attached to the Lambda, EC2, etc.

austin-cheney · Answer

The easy but less secure solution:Store all secrets in one file WITHIN your local repo and add that one secrets file to something like a .gitignore file. Then validate the file is excluded using git status.The more secure solution is to store all secrets within a secrets vault and access that vault from application logic on application restart, provided the application is a service that rarely restarts.

2rsf · Answer

perplexity offered me those:https://github.com/awslabs/git-secretshttps://www.infracloud.io/blogs/prevent-secret-leaks-in-repo...https://www.reddit.com/r/git/comments/1h1r0ep/best_practices...In addition GitGuardian cost something around $220/year per developer which is not too bad

joshstrange · Answer

I&rsquo;m a little confused, is this mostly for public repos? Because for internal repos you&rsquo;ll catch it in code review and then just revoke the creds?

Prevent Secrets from Committing to Repos

Hey I have been working on a solution to prevent secrets from committing to VCS repos, so far have prevented 10+ AWS keys from accidentally being committed. Github has an offering but it's very costly for our team. Does anyone of you want to try out ?

perplexity offered me those:
https://github.com/awslabs/git-secrets
https://www.infracloud.io/blogs/prevent-secret-leaks-in-repo...
https://www.reddit.com/r/git/comments/1h1r0ep/best_practices...
In addition GitGuardian cost something around $220/year per developer which is not too bad

I’m a little confused, is this mostly for public repos? Because for internal repos you’ll catch it in code review and then just revoke the creds?