How I Avoid Committing Passwords to Github

TL;DR: My pre-commit-hooks repo might help you avoid checking in passwords or other secrets. Also: a suggestion that any secret string should contain NOCOMMIT.


I once committed AWS keys to a public Github repository. 24 hours later, ~USD2000 had been spent mining bitcoins.

I was motivated to avoid doing that again.

So I began to use Yelp's pre-commit package. It comes with a checker (detect-aws-credentials) that looks to see if the contents of ~/.aws/credentials are in any of the files you're about to commit (or push).

I decided to be doubly-cautious and also check for the distinctive pattern of AWS secrets (AKIA[[:alnum:]]{14}). To do that, I wrote a new plugin.

Fine.

But AWS secrets aren't the only secrets. What about passwords for Postgres, Redis, and the other zillion services your core code uses?

Because of the risk of checking in passwords, any service password I create prepends NOCOMMIT to the strong string I get from 1Password. So my standard pre-commit configuration file includes the following:

    hooks:
    -   id: prohibit-suspicious-patterns
        args:
        - AKIA[[:alnum:]]{14}
        - NOCOMMIT
        - --

That means that I can't check in a password unless:

  • I use the --no-verify argument to git commit or git push, or
  • I include git-commit-ok on the same line.

You might find the plugin useful.

The repo also includes a plugin that lets you exclude dangerous files (identified by name) and one that prevents you from checking into branches like production or master1.

  1. I last worked in a company that wanted people to work on a branch, finish by making a pull request, and then merging. Since I'm used to working on "trunk", I kept forgetting to make the branch and then accidentally committing to "production", which immediately got deployed. That was not appropriate at this company.