Git hooks that prevents committing secrets
Extend http://doc.gitlab.com/ee/git_hooks/git_hooks.html with a hook that detects common secrets (PRIVATE_KEY, etc.).
We need to be able to prevent committing secrets to a repository by defining rules set by users. This feature will be for our EE customers.
- This feature needs to be activated by project. It's OFF by default.
- A new checkbox under the Push Rules settings page, labelled
Prevent committing secrets, activate the feature for the project, as shown below.
- Inside GitLab, we maintain a non-editable list of filenames we want to prevent from being pushed to a repository.
- We don't need to read the content of those files. We just need to block any push that contains a file with one of the names listed below.
- We need to have a nice error message to say to the user that she can't push this kind of files to the project. Keep in mind this issue when formatting the error message.
# AWS CLI credential blobs .aws/credentials aws/credentials homefolder/aws/credentials # private RSA SSH keys /ssh/id_rsa /.ssh/personal_rsa /config/server_rsa id_rsa .id_rsa # private DSA SSH keys /ssh/id_dsa /.ssh/personal_dsa /config/server_dsa id_dsa .id_dsa # private ed25519 SSH keys /ssh/id_ed25519 /.ssh/personal_ed25519 /config/server_ed25519 id_ed25519 .id_ed25519 # private ECDSA SSH keys /ssh/id_ecdsa /.ssh/personal_ecdsa /config/server_ecdsa id_ecdsa .id_ecdsa # filenames matching those expressions (not familiar enough with regex to know if I'm correct) /*\.(pem|key)/ # will prevent privatekey.pem and secret.key from being pushed
- Yelp pre-commit-hooks project: a framework for managing pre-commit-hooks