Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Git pre-commit hook that checks for AWS keys
#!/usr/bin/env bash
if git rev-parse --verify HEAD >/dev/null 2>&1
then
against=HEAD
else
# Initial commit: diff against an empty tree object
EMPTY_TREE=$(git hash-object -t tree /dev/null)
against=$EMPTY_TREE
fi
# Redirect output to stderr.
exec 1>&2
# Check changed files for an AWS keys
FILES=$(git diff --cached --name-only $against)
if [ -n "$FILES" ]; then
KEY_ID=$(grep -E --line-number '[^A-Z0-9][A-Z0-9]{20}[^A-Z0-9]' $FILES)
KEY=$(grep -E --line-number '[^A-Za-z0-9/+=][A-Za-z0-9/+=]{40}[^A-Za-z0-9/+=]' $FILES)
if [ -n "$KEY_ID" ] || [ -n "$KEY" ]; then
exec < /dev/tty # Capture input
echo "=========== Possible AWS Access Key IDs ==========="
echo "${KEY_ID}"
echo ""
echo "=========== Possible AWS Secret Access Keys ==========="
echo "${KEY}"
echo ""
while true; do
read -p "[AWS Key Check] Possible AWS keys found. Commit files anyway? (y/N) " yn
if [ "$yn" = "" ]; then
yn='N'
fi
case $yn in
[Yy] ) exit 0;;
[Nn] ) exit 1;;
* ) echo "Please answer y or n for yes or no.";;
esac
done
exec <&- # Release input
fi
fi
# Normal exit
exit 0
@czardoz

This comment has been minimized.

Copy link
Owner Author

@czardoz czardoz commented Aug 10, 2015

A modification of https://gist.github.com/DmZ/3a99d829f17af383712b

Installation instructions:

Copy this to $REPOSITORY_DIR/.git/hooks/pre-commit and make it executable.

To make sure it's present every time you create a repo, https://coderwall.com/p/jp7d5q/create-a-global-git-commit-hook

@numaanashraf

This comment has been minimized.

Copy link

@numaanashraf numaanashraf commented Aug 10, 2015

Can we replace the hardcoded hash 4b825dc642cb6eb9a060e54bf8d69288fbee4904 with an adhoc computed value?

git hash-object -t tree /dev/null
@smclauch

This comment has been minimized.

Copy link

@smclauch smclauch commented Feb 10, 2016

I had some problems with this using Git under Windows - the problem turned out to be that the regex wasn't matching a key that ended with an end-of-line (which I imagine is fairly common). I got it working by changing the regexes as follows:

    KEY_ID=$(grep -E --line-number '\b[A-Z0-9]{20}\b' $FILES)
    KEY=$(grep -E --line-number '[^A-Za-z0-9/+=][A-Za-z0-9/+=]{40}(\b|[^A-Za-z0-9/+=])' $FILES) 
@czardoz

This comment has been minimized.

Copy link
Owner Author

@czardoz czardoz commented Feb 15, 2016

@smclauch, the KEY_ID regex you have only matches 20 characters, right?

@smclauch

This comment has been minimized.

Copy link

@smclauch smclauch commented Feb 25, 2016

Yes - the problem with the orignal regex is that [^A-Z0-9] doesn't match EOL (at least not on Windows).

@1311543

This comment has been minimized.

Copy link

@1311543 1311543 commented Dec 18, 2019

great! but it fails when you try to hide credentials for example AKIA4GQAF5DFSF2MM you add 112312312 at the end of the keyid add numbers and it fails.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.