Hi, my team started to use git-crypt recently. I see that for new people it is very easy to forget unlocking the repo and only then submitting files that should be encrypted.
That is, when a new file is added. Then a pull request could be created with all secret files exposed.
git clone
# user forgets git crypt unlock or does not have key
vi secrets/some-file.txt
git add secrets/some-file.txt
git commit -m "adding a new secret"
# now at step 4 or 5 git-crypt could return an error to prevent secrets leaks
git push
In this way it should be impossible for people to submit unencrypted files (that should be encrypted according to .gitattributes) regardless of they having access to encrypted content or not.
Hi, my team started to use
git-crypt
recently. I see that for new people it is very easy to forget unlocking the repo and only then submitting files that should be encrypted.That is, when a new file is added. Then a pull request could be created with all secret files exposed.
#
user forgetsgit crypt unlock
or does not have key#
now at step 4 or 5 git-crypt could return an error to prevent secrets leaksIn this way it should be impossible for people to submit unencrypted files (that should be encrypted according to
.gitattributes
) regardless of they having access to encrypted content or not.