Summary Prerequisites and limitations Architecture Tools Best practices Epics Related resources

Scan Git repositories for sensitive information and security issues by using git-secrets

Created by Saurabh Singh (AWS)

Environment: Production

Technologies: Security, identity, compliance

Workload: Open-source

Summary

This pattern describes how to use the open-source git-secrets tool from AWS Labs to scan Git source repositories and find code that might potentially include sensitive information, such as user passwords or AWS access keys, or that has any other security issues.

git-secrets scans commits, commit messages, and merges to prevent sensitive information such as secrets from being added to your Git repositories. For example, if a commit, commit message, or any commit in a merge history matches one of your configured, prohibited regular expression patterns, the commit is rejected.

Prerequisites and limitations

Prerequisites

An active AWS account
A Git repository that requires a security scan
A Git client (version 2.37.1 and later) installed

Architecture

Target architecture

Git
git-secrets

Tools

git-secrets is a tool that prevents you from committing sensitive information into Git repositories.
Git is an open-source distributed version control system.

Best practices

Always scan a Git repository by including all revisions:


git secrets --scan-history

Epics

Task	Description	Skills required
Connect to an EC2 instance by using SSH.	Connect to an Amazon Elastic Compute Cloud (Amazon EC2) instance by using SSH and a key pair file. You can skip this step if you are scanning a repository on your local machine.	General AWS

Task

Description

Skills required

Connect to an EC2 instance by using SSH.

Connect to an Amazon Elastic Compute Cloud (Amazon EC2) instance by using SSH and a key pair file.

You can skip this step if you are scanning a repository on your local machine.

General AWS

Task Description Skills required

Task	Description	Skills required
Install Git.	Install Git by using the command: `yum install git -y` If you are using your local machine, you can install a Git client for a specific OS version. For more information, see the Git website.	General AWS

Install Git.

Install Git by using the command:


yum install git -y

If you are using your local machine, you can install a Git client for a specific OS version. For more information, see the Git website.

General AWS

Task Description Skills required

Task	Description	Skills required
Clone the Git source repository.	To clone the Git repository that you want to scan, choose the Git clone command from your home directory.	General AWS
Clone git-secrets.	Clone the `git-secrets` Git repository. `git clone https://github.com/awslabs/git-secrets.git` Place `git-secrets` somewhere in your `PATH` so that Git picks it up when you run `git-secrets`.	General AWS
Install git-secrets.	For Unix and variants (Linux/macOS): You can use the `install` target of the `Makefile` (provided in the `git-secrets` repository) to install the tool. You can customize the installation path by using the `PREFIX` and `MANPREFIX` variables. `make install` For Windows: Run the PowerShell `install.ps1` script provided in the `git-secrets` repository. This script copies the installation files to an installation directory (`%USERPROFILE%/.git-secrets` by default) and adds the directory to the current user `PATH`. `PS > ./install.ps1` For Homebrew (macOS users): Run: `brew install git-secrets` For more information, see the Related resources section.	General AWS

Clone the Git source repository.

To clone the Git repository that you want to scan, choose the Git clone command from your home directory.

General AWS

Clone git-secrets.

Clone the git-secrets Git repository.


git clone https://github.com/awslabs/git-secrets.git

Place git-secrets somewhere in your PATH so that Git picks it up when you run git-secrets.

General AWS

Install git-secrets.

For Unix and variants (Linux/macOS):

You can use the install target of the Makefile (provided in the git-secrets repository) to install the tool. You can customize the installation path by using the PREFIX and MANPREFIX variables.


make install

For Windows:

Run the PowerShell install.ps1 script provided in the git-secrets repository. This script copies the installation files to an installation directory (%USERPROFILE%/.git-secrets by default) and adds the directory to the current user PATH.


PS > ./install.ps1

For Homebrew (macOS users):

Run:


brew install git-secrets

For more information, see the Related resources section.

General AWS

Task	Description	Skills required
Go to the source repository.	Switch to the directory for the Git repository that you want to scan: `cd my-git-repository`	General AWS
Register the AWS rule set (Git hooks).	To configure `git-secrets` to scan your Git repository on each commit, run the command: `git secrets --register-aws`	General AWS
Scan the repository.	Run the following command to start scanning your repository: `git secrets -–scan`	General AWS
Review the output file.	The tool generates an output file if it finds a vulnerability in your Git repository. For example: example.sh:4:AWS_SECRET_ACCESS_KEY = ********* [ERROR] Matched one or more prohibited patterns Possible mitigations: - Mark false positives as allowed using: git config --add secrets.allowed ... - Mark false positives as allowed by adding regular expressions to .gitallowed at repository's root directory - List your configured patterns: git config --get-all secrets.patterns - List your configured allowed patterns: git config --get-all secrets.allowed - List your configured allowed patterns in .gitallowed at repository's root directory - Use --no-verify if this is a one-time false positive	General AWS

Related resources

Git webhooks with AWS services (AWS Quick Start)
git-secrets tool
Migrate a Git Repository to AWS (AWS hands-on tutorial)
AWS CodeCommit API Reference

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Notify when an IAM user is created

Send alerts from AWS Network Firewall to a Slack channel