Can a git hook be used to replace passwords before staging, adding, or pushing?

Question

Can a git hook be used to replace passwords before staging, adding, or pushing?

I want passwords to be replaced by templates before committing or pushing.

for instance, say I prefix plain texts password with 'PWDEXLUDE_password' and the hook replaces it with <>, so during the deployment phase a script can look for the template, lookup in a database for the password, and substitute that template with production password.

Is something like that available or possible with git?

Answer 1

I would take a different approach, which would be to keep passwords in a configuration file that's not under version control and have your application load them from that file when it runs. Your deploy script just needs to ensure that such a file exists, and each developer can have their own passwords for development and testing.

If you really want to do what you ask, I think you could do it in a pre-commit hook that extracts the staged versions of the files with passwords in them, rewrites them, and stages the rewritten version, making sure not to affect the working copy. However, this seems like a bad idea to me for any number of reasons.

Answer 2

I think the right thing here (if you don't want an ignored file, which I would prefer, too) would be a pair of smudge/clean filters. See the filter section in gitattributes.