Git pre-commit hook to search for Amazon AWS API keys.
#!/bin/sh | |
if git rev-parse --verify HEAD >/dev/null 2>&1 | |
then | |
against=HEAD | |
else | |
# Initial commit: diff against an empty tree object | |
against=4b825dc642cb6eb9a060e54bf8d69288fbee4904 | |
fi | |
# Redirect output to stderr. | |
exec 1>&2 | |
# Check changed files for an AWS keys | |
KEY_ID=$(git diff --cached --name-only -z $against | xargs -0 cat | grep -c -E '[^A-Z0-9][A-Z0-9]{20}[^A-Z0-9]') | |
KEY=$(git diff --cached --name-only -z $against | xargs -0 cat | grep -c -E '[^A-Za-z0-9/+=][A-Za-z0-9/+=]{40}[^A-Za-z0-9/+=]') | |
if [ $KEY_ID -ne 0 -o $KEY -ne 0 ]; then | |
echo "Found patterns for AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY" | |
echo "Please check your code and remove API keys." | |
exit 1 | |
fi | |
# Normal exit | |
exit 0 |
This comment has been minimized.
This comment has been minimized.
Great idea, but it's falsely matching any 40 char quoted string, which i sadly have in my repo. If i manage to successfully tweak regex will reply here. |
This comment has been minimized.
This comment has been minimized.
I enhanced this script to also spit out the filename and line number where the Keys were detected: https://gist.github.com/czardoz/b8bb58ad10f4063209bd |
This comment has been minimized.
This comment has been minimized.
Update to work on both Linux and OS X (uses perl instead of grep), as well as a regex pattern recommended by AWS: https://gist.github.com/dduvnjak/ce08f917f7ead5f126ef |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
Must be installed into
.git/hooks
directory of a project.To use for all new projects must be installed globally https://coderwall.com/p/jp7d5q
(or with help of git-hooks https://github.com/icefox/git-hooks)