search

awslabs / git-secrets

Prevents you from committing secrets and credentials into git repositories
Apache License 2.0
12.36k stars 1.17k forks source link

Secret rules being applied to unstaged files #228

Open raakasf opened 1 year ago

raakasf commented 1 year ago

Not sure if this is designed to be this way, but it prevent me from committing staged files when unstaged files have a prohibited pattern. Am I doing something wrong?

Relevant section from .git/config

[secrets]
    providers = git secrets --aws-provider
    patterns = (A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}
    patterns = (\"|')?(AWS|aws|Aws)?_?(SECRET|secret|Secret)?_?(ACCESS|access|Access)?_?(KEY|key|Key)(\"|')?\\s*(:|=>|=)\\s*(\"|')?[A-Za-z0-9/\\+=]{40}(\"|')?
    patterns = (\"|')?(AWS|aws|Aws)?_?(ACCOUNT|account|Account)_?(ID|id|Id)?(\"|')?\\s*(:|=>|=)\\s*(\"|')?[0-9]{4}\\-?[0-9]{4}\\-?[0-9]{4}(\"|')?
    allowed = AKIAIOSFODNN7EXAMPLE
    allowed = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
    patterns = GRAFANA_API_KEY\\s*=\\s*.+
    patterns = password\\s*=\\s*.+

Git log:

2022-12-12 14:21:49.331 [info] docker/grafana/environment:11:GRAFANA_API_KEY=xxx

[ERROR] Matched one or more prohibited patterns

Possible mitigations:
- Mark false positives as allowed using: git config --add secrets.allowed ...
- Mark false positives as allowed by adding regular expressions to .gitallowed at repository's root directory
- List your configured patterns: git config --get-all secrets.patterns
- List your configured allowed patterns: git config --get-all secrets.allowed
- List your configured allowed patterns in .gitallowed at repository's root directory
- Use --no-verify if this is a one-time false positive
Screenshot 2022-12-12 at 9 21 03 AM