Git pre-commit hook to search for Amazon AWS API keys.

pre-commit

#!/bin/sh
 
if git rev-parse --verify HEAD >/dev/null 2>&1
then
    against=HEAD
else
    # Initial commit: diff against an empty tree object
    against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
fi
 
# Redirect output to stderr.
exec 1>&2
 
# Check changed files for an AWS keys
KEY_ID=$(git diff --cached --name-only -z $against | xargs -0 cat | grep -c -E '[^A-Z0-9][A-Z0-9]{20}[^A-Z0-9]')
KEY=$(git diff --cached --name-only -z $against | xargs -0 cat | grep -c -E '[^A-Za-z0-9/+=][A-Za-z0-9/+=]{40}[^A-Za-z0-9/+=]')
 
if [ $KEY_ID -ne 0 -o $KEY -ne 0 ]; then
    echo "Found patterns for AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY"
    echo "Please check your code and remove API keys."
    exit 1
fi
 
# Normal exit
exit 0

Must be installed into .git/hooks directory of a project.
To use for all new projects must be installed globally https://coderwall.com/p/jp7d5q
(or with help of git-hooks https://github.com/icefox/git-hooks)

Great idea, but it's falsely matching any 40 char quoted string, which i sadly have in my repo. If i manage to successfully tweak regex will reply here.

I enhanced this script to also spit out the filename and line number where the Keys were detected: https://gist.github.com/czardoz/b8bb58ad10f4063209bd

Update to work on both Linux and OS X (uses perl instead of grep), as well as a regex pattern recommended by AWS: https://gist.github.com/dduvnjak/ce08f917f7ead5f126ef