Create a gist now

Instantly share code, notes, and snippets.

@DmZ /pre-commit
Last active Nov 6, 2017

What would you like to do?
Git pre-commit hook to search for Amazon AWS API keys.
#!/bin/sh
if git rev-parse --verify HEAD >/dev/null 2>&1
then
against=HEAD
else
# Initial commit: diff against an empty tree object
against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
fi
# Redirect output to stderr.
exec 1>&2
# Check changed files for an AWS keys
KEY_ID=$(git diff --cached --name-only -z $against | xargs -0 cat | grep -c -E '[^A-Z0-9][A-Z0-9]{20}[^A-Z0-9]')
KEY=$(git diff --cached --name-only -z $against | xargs -0 cat | grep -c -E '[^A-Za-z0-9/+=][A-Za-z0-9/+=]{40}[^A-Za-z0-9/+=]')
if [ $KEY_ID -ne 0 -o $KEY -ne 0 ]; then
echo "Found patterns for AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY"
echo "Please check your code and remove API keys."
exit 1
fi
# Normal exit
exit 0
Owner

DmZ commented Jul 21, 2014

Must be installed into .git/hooks directory of a project.
To use for all new projects must be installed globally https://coderwall.com/p/jp7d5q
(or with help of git-hooks https://github.com/icefox/git-hooks)

sadams commented Apr 29, 2015

Great idea, but it's falsely matching any 40 char quoted string, which i sadly have in my repo. If i manage to successfully tweak regex will reply here.

czardoz commented Aug 10, 2015

I enhanced this script to also spit out the filename and line number where the Keys were detected: https://gist.github.com/czardoz/b8bb58ad10f4063209bd

Update to work on both Linux and OS X (uses perl instead of grep), as well as a regex pattern recommended by AWS: https://gist.github.com/dduvnjak/ce08f917f7ead5f126ef

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment