search

awslabs / git-secrets

Prevents you from committing secrets and credentials into git repositories
Apache License 2.0
12.36k stars 1.17k forks source link

Different values for `git config --get-all` #179

Open wpcarro opened 4 years ago

wpcarro commented 4 years ago

I'm attempt to use git secrets --scan-history in CI, but I'm currently get false-positives because git config --get-all secrets.patterns is empty on my CI server but populated on my development machine.

CI

$ git config --get-all secrets.patterns
(sk|pk)_(test|live)_[0-9a-zA-Z]{99}
$ cat .git/config
[secrets]
        patterns = (sk|pk)_(test|live)_[0-9a-zA-Z]{99}

Dev

$ git config --get-all secrets.patterns
(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}
("|')?(AWS|aws|Aws)?_?(SECRET|secret|Secret)?_?(ACCESS|access|Access)?_?(KEY|key|Key)("|')?\s*(:|=>|=)\s*("|')?[A-Za-z0-9/\+=]{40}("|')?
("|')?(AWS|aws|Aws)?_?(ACCOUNT|account|Account)_?(ID|id|Id)?("|')?\s*(:|=>|=)\s*("|')?[0-9]{4}\-?[0-9]{4}\-?[0-9]{4}("|')?
AIza[0-9A-Za-z_-]{35}
[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com
(^|[^0-9A-Za-z/+])1/[0-9A-Za-z_-]{43}
(^|[^0-9A-Za-z/+])1/[0-9A-Za-z_-]{64}
ya29\.[0-9A-Za-z_-]+
(sk|pk)_(test|live)_[a-zA-Z0-9]{99}
$ command cat .git/config
[secrets]
        patterns = (sk|pk)_(test|live)_[a-zA-Z0-9]{99}

Investigation

Where else can these secrets.patterns be defined? On my dev machine, I searched through my history for any calls --add-provider or --add for patterns, but I cannot find anything that would've added all of these patterns:

$ history | egrep '^git(-| )secrets' | sort | uniq
git secrets
git secrets --add-provider -- git secrets
git secrets --add-provider -h
git secrets --commit_msg_hook
git secrets --help
git secrets --install
git-secrets --list
git-secrets --list --help
git secrets --register-gcp
git secrets --scan
git secrets scan
git-secrets --scan
git secrets --scan | grep Stripe
git secrets --scan-history

I also tried to find any gitconfig file that might have a [secrets] header... I haven't found anything yet:

$ sudo updatedb
$ locate gitconfig | xargs rg '\[secrets\]'
# empty

To be clear, I'd like my CI machine to have the same patterns as my dev machine. Can someone help me troubleshoot this? Both machines are using git-secrets-1.3.0.

sparr commented 1 year ago

git configuration is accumulated from multiple sources.

repo/.git/config is the configuration for a specific repository

There is also a "global" configuration for git for your user on your computer, which might be found in ~/.gitconfig or ~/.git/config or ~/.config/git/config. I recommend checking these locations on your dev machine.