Last active
July 25, 2023 13:40
-
-
Save DmZ/3a99d829f17af383712b to your computer and use it in GitHub Desktop.
Git pre-commit hook to search for Amazon AWS API keys.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| if git rev-parse --verify HEAD >/dev/null 2>&1 | |
| then | |
| against=HEAD | |
| else | |
| # Initial commit: diff against an empty tree object | |
| against=4b825dc642cb6eb9a060e54bf8d69288fbee4904 | |
| fi | |
| # Redirect output to stderr. | |
| exec 1>&2 | |
| # Check changed files for an AWS keys | |
| KEY_ID=$(git diff --cached --name-only -z $against | xargs -0 cat | grep -c -E '[^A-Z0-9][A-Z0-9]{20}[^A-Z0-9]') | |
| KEY=$(git diff --cached --name-only -z $against | xargs -0 cat | grep -c -E '[^A-Za-z0-9/+=][A-Za-z0-9/+=]{40}[^A-Za-z0-9/+=]') | |
| if [ $KEY_ID -ne 0 -o $KEY -ne 0 ]; then | |
| echo "Found patterns for AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY" | |
| echo "Please check your code and remove API keys." | |
| exit 1 | |
| fi | |
| # Normal exit | |
| exit 0 |
Great idea, but it's falsely matching any 40 char quoted string, which i sadly have in my repo. If i manage to successfully tweak regex will reply here.
I enhanced this script to also spit out the filename and line number where the Keys were detected: https://gist.github.com/czardoz/b8bb58ad10f4063209bd
Update to work on both Linux and OS X (uses perl instead of grep), as well as a regex pattern recommended by AWS: https://gist.github.com/dduvnjak/ce08f917f7ead5f126ef
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Must be installed into
.git/hooksdirectory of a project.To use for all new projects must be installed globally https://coderwall.com/p/jp7d5q
(or with help of git-hooks https://github.com/icefox/git-hooks)