Description
git-secrets scans commits, commit messages, and merges to prevent adding secrets into your git repositories. Created by AWS Labs, it's particularly effective for catching AWS credentials, API keys, and custom patterns you define. Essential for defensive security.
Installation
BASH
# Homebrew
brew install git-secrets
# From source
git clone https://github.com/awslabs/git-secrets.git
cd git-secrets && sudo make install
# Install hooks in a repo
cd your-repo
git secrets --install
git secrets --register-aws # Add AWS-specific patternsBasic Usage
BASH
# Scan entire repo history
git secrets --scan-history
# Scan specific file
git secrets --scan /path/to/file
# Scan stdin
echo "AKIA1234567890ABCDEF" | git secrets --scan -Advanced Usage
BASH
# Add custom patterns
git secrets --add 'password\s*=\s*.+'
git secrets --add 'api[_-]?key\s*=\s*.+'
git secrets --add --allowed 'password\s*=\s*fake'
# List registered patterns
git secrets --list
# Add to global config (all repos)
git secrets --register-aws --global
git secrets --install ~/.git-templates/git-secrets
git config --global init.templateDir ~/.git-templates/git-secrets
# Scan specific commits
git secrets --scan <commit-hash>Common Workflows
BASH
# Set up for all future repos
git secrets --install ~/.git-templates/git-secrets
git config --global init.templateDir ~/.git-templates/git-secrets
git secrets --register-aws --global
# Audit existing repos for leaked secrets
cd target-repo && git secrets --scan-history
# CI/CD integration
git secrets --scan-history || exit 1