Git pre-commit hook that checks for AWS keys

pre-commit.sh

#!/usr/bin/env bash

if git rev-parse --verify HEAD >/dev/null 2>&1
then
    against=HEAD
else
    # Initial commit: diff against an empty tree object
    EMPTY_TREE=$(git hash-object -t tree /dev/null)
    against=$EMPTY_TREE
fi

# Redirect output to stderr.
exec 1>&2
 
# Check changed files for an AWS keys
FILES=$(git diff --cached --name-only $against)

if [ -n "$FILES" ]; then
    KEY_ID=$(grep -E --line-number '[^A-Z0-9][A-Z0-9]{20}[^A-Z0-9]' $FILES)
    KEY=$(grep -E --line-number '[^A-Za-z0-9/+=][A-Za-z0-9/+=]{40}[^A-Za-z0-9/+=]' $FILES)

    if [ -n "$KEY_ID" ] || [ -n "$KEY" ]; then
        exec < /dev/tty # Capture input
        echo "=========== Possible AWS Access Key IDs ==========="
        echo "${KEY_ID}"
        echo ""

        echo "=========== Possible AWS Secret Access Keys ==========="
        echo "${KEY}"
        echo ""

        while true; do
            read -p "[AWS Key Check] Possible AWS keys found. Commit files anyway? (y/N) " yn
            if [ "$yn" = "" ]; then
                yn='N'
            fi
            case $yn in
                [Yy] ) exit 0;;
                [Nn] ) exit 1;;
                * ) echo "Please answer y or n for yes or no.";;
            esac
        done
        exec <&- # Release input
    fi
fi

# Normal exit
exit 0

A modification of https://gist.github.com/DmZ/3a99d829f17af383712b

Installation instructions:

Copy this to $REPOSITORY_DIR/.git/hooks/pre-commit and make it executable.

To make sure it's present every time you create a repo, https://coderwall.com/p/jp7d5q/create-a-global-git-commit-hook

Can we replace the hardcoded hash 4b825dc642cb6eb9a060e54bf8d69288fbee4904 with an adhoc computed value?

git hash-object -t tree /dev/null

I had some problems with this using Git under Windows - the problem turned out to be that the regex wasn't matching a key that ended with an end-of-line (which I imagine is fairly common). I got it working by changing the regexes as follows:

    KEY_ID=$(grep -E --line-number '\b[A-Z0-9]{20}\b' $FILES)
    KEY=$(grep -E --line-number '[^A-Za-z0-9/+=][A-Za-z0-9/+=]{40}(\b|[^A-Za-z0-9/+=])' $FILES) 

@smclauch, the KEY_ID regex you have only matches 20 characters, right?

Yes - the problem with the orignal regex is that [^A-Z0-9] doesn't match EOL (at least not on Windows).

great! but it fails when you try to hide credentials for example AKIA4GQAF5DFSF2MM you add 112312312 at the end of the keyid add numbers and it fails.

This come up for me on google, but the KEY regexp doesn't really work well for me -- even if you get it not false-negativing too much, just 40 chars in a row of [A-Za-z0-9/+=] was matching on lots of false positives in my source, like URLs that happened to have components of the right length and such.

So.... I went and looked what git-secrets does. I didn't really want to use git-secrets, I just wanted a simple little script... so I kind of mashed the regexp git-secrets uses by default for AWS_SECRET_KEY_ID -- which looks for the variable name on the line too -- with this script, and did this:

https://github.com/sciencehistory/scihist_digicoll/blob/aaf57ee373ad568b1b772c0c6bd7645b5deb7e2b/.githooks/pre-commit

(per 1311543 above, that's not a use-case I care about. This is for preventing devs from accidentally committing keys, not catching people "trying to hide" them).