Pilih preferensi cookie Anda

Kami menggunakan cookie penting serta alat serupa yang diperlukan untuk menyediakan situs dan layanan. Kami menggunakan cookie performa untuk mengumpulkan statistik anonim sehingga kami dapat memahami cara pelanggan menggunakan situs dan melakukan perbaikan. Cookie penting tidak dapat dinonaktifkan, tetapi Anda dapat mengklik “Kustom” atau “Tolak” untuk menolak cookie performa.

Jika Anda setuju, AWS dan pihak ketiga yang disetujui juga akan menggunakan cookie untuk menyediakan fitur situs yang berguna, mengingat preferensi Anda, dan menampilkan konten yang relevan, termasuk iklan yang relevan. Untuk menerima atau menolak semua cookie yang tidak penting, klik “Terima” atau “Tolak”. Untuk membuat pilihan yang lebih detail, klik “Kustomisasi”.

Preferensi
Hubungi Kami
Umpan Balik
AWS Documentation
Buat Akun AWS
Scan Git repositories for sensitive information and security issues by using git-secrets - AWS Prescriptive Guidance
SummaryPrerequisites and limitationsArchitectureToolsBest practicesEpicsRelated resources
Halaman ini belum diterjemahkan ke dalam bahasa Anda. Minta terjemahan

Scan Git repositories for sensitive information and security issues by using git-secrets

PDF

Created by Saurabh Singh (AWS)

Summary

This pattern describes how to use the open-source git-secrets tool from AWS Labs to scan Git source repositories and find code that might potentially include sensitive information, such as user passwords or AWS access keys, or that has any other security issues.

git-secrets scans commits, commit messages, and merges to prevent sensitive information such as secrets from being added to your Git repositories. For example, if a commit, commit message, or any commit in a merge history matches one of your configured, prohibited regular expression patterns, the commit is rejected.

Prerequisites and limitations

Prerequisites 

  • An active AWS account

  • A Git repository that requires a security scan

  • A Git client (version 2.37.1 and later) installed

Architecture

Target architecture 

  • Git

  • git-secrets

Using the git-secrets tool to scan Git source repositories for sensitive information.

Tools

  • git-secrets is a tool that prevents you from committing sensitive information into Git repositories.

  • Git is an open-source distributed version control system.

Best practices

  • Always scan a Git repository by including all revisions:

    git secrets --scan-history

Epics

TaskDescriptionSkills required

Connect to an EC2 instance by using SSH.

Connect to an Amazon Elastic Compute Cloud (Amazon EC2) instance by using SSH and a key pair file.

You can skip this step if you are scanning a repository on your local machine.

General AWS

Connect to an EC2 instance

TaskDescriptionSkills required

Connect to an EC2 instance by using SSH.

Connect to an Amazon Elastic Compute Cloud (Amazon EC2) instance by using SSH and a key pair file.

You can skip this step if you are scanning a repository on your local machine.

General AWS
TaskDescriptionSkills required

Install Git.

Install Git by using the command:

yum install git -y

If you are using your local machine, you can install a Git client for a specific OS version. For more information, see the Git website.

General AWS

Install Git

TaskDescriptionSkills required

Install Git.

Install Git by using the command:

yum install git -y

If you are using your local machine, you can install a Git client for a specific OS version. For more information, see the Git website.

General AWS
TaskDescriptionSkills required

Clone the Git source repository.

To clone the Git repository that you want to scan, choose the Git clone command from your home directory.

General AWS

Clone git-secrets.

Clone the git-secrets Git repository.

git clone https://github.com/awslabs/git-secrets.git

Place git-secrets somewhere in your PATH so that Git picks it up when you run git-secrets.

General AWS

Install git-secrets.

For Unix and variants (Linux/macOS):

You can use the install target of the Makefile (provided in the git-secrets repository) to install the tool. You can customize the installation path by using the PREFIX and MANPREFIX variables.

make install

For Windows:

Run the PowerShell install.ps1 script provided in the git-secrets repository. This script copies the installation files to an installation directory (%USERPROFILE%/.git-secrets by default) and adds the directory to the current user PATH.

PS > ./install.ps1

For Homebrew (macOS users):

Run:

brew install git-secrets
General AWS

Clone the source repository and install git-secrets

TaskDescriptionSkills required

Clone the Git source repository.

To clone the Git repository that you want to scan, choose the Git clone command from your home directory.

General AWS

Clone git-secrets.

Clone the git-secrets Git repository.

git clone https://github.com/awslabs/git-secrets.git

Place git-secrets somewhere in your PATH so that Git picks it up when you run git-secrets.

General AWS

Install git-secrets.

For Unix and variants (Linux/macOS):

You can use the install target of the Makefile (provided in the git-secrets repository) to install the tool. You can customize the installation path by using the PREFIX and MANPREFIX variables.

make install

For Windows:

Run the PowerShell install.ps1 script provided in the git-secrets repository. This script copies the installation files to an installation directory (%USERPROFILE%/.git-secrets by default) and adds the directory to the current user PATH.

PS > ./install.ps1

For Homebrew (macOS users):

Run:

brew install git-secrets
General AWS
TaskDescriptionSkills required

Go to the source repository.

Switch to the directory for the Git repository that you want to scan:

cd my-git-repository
General AWS

Register the AWS rule set (Git hooks).

To configure git-secrets to scan your Git repository on each commit, run the command: 

git secrets --register-aws
General AWS

Scan the repository.

Run the following command to start scanning your repository:

git secrets -–scan
General AWS

Review the output file.

The tool generates an output file if it finds a vulnerability in your Git repository. For example:

example.sh:4:AWS_SECRET_ACCESS_KEY = *********

[ERROR] Matched one or more prohibited patterns

Possible mitigations:
- Mark false positives as allowed using: git config --add secrets.allowed ...
- Mark false positives as allowed by adding regular expressions to .gitallowed at repository's root directory
- List your configured patterns: git config --get-all secrets.patterns
- List your configured allowed patterns: git config --get-all secrets.allowed
- List your configured allowed patterns in .gitallowed at repository's root directory
- Use --no-verify if this is a one-time false positive
General AWS

Scan git code repository

TaskDescriptionSkills required

Go to the source repository.

Switch to the directory for the Git repository that you want to scan:

cd my-git-repository
General AWS

Register the AWS rule set (Git hooks).

To configure git-secrets to scan your Git repository on each commit, run the command: 

git secrets --register-aws
General AWS

Scan the repository.

Run the following command to start scanning your repository:

git secrets -–scan
General AWS

Review the output file.

The tool generates an output file if it finds a vulnerability in your Git repository. For example:

example.sh:4:AWS_SECRET_ACCESS_KEY = *********

[ERROR] Matched one or more prohibited patterns

Possible mitigations:
- Mark false positives as allowed using: git config --add secrets.allowed ...
- Mark false positives as allowed by adding regular expressions to .gitallowed at repository's root directory
- List your configured patterns: git config --get-all secrets.patterns
- List your configured allowed patterns: git config --get-all secrets.allowed
- List your configured allowed patterns in .gitallowed at repository's root directory
- Use --no-verify if this is a one-time false positive
General AWS

Related resources

Perlu bantuan?

PrivasiSyarat situsPreferensi cookie
© 2025, Amazon Web Services, Inc. atau afiliasinya. Semua hak dilindungi undang-undang.