Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is best practice for keeping secrets out of a git repository?

Tags:

git

version-control

versioning

Problem

Consider this file tree as my development repository.

 - foo/
   - .git/
     - [...]
   - bar/
     - backupclient.py
   - supersecretstoragecredentials.ini

For development, supersecretstoragecredentials.ini needs to be filled in with valid credentials - while I still have to keep a clean version of it in the repository so that other users can easily set their credentials.

Possible solutions

  1. .gitignore supersecretstoragecredentials.ini and create a supersecretstoragecredentials.ini-example,
    1. instruct the user to copy supersecretstoragecredentials.ini-example to supersecretstoragecredentials.ini.
  2. Add an overriding config file location in backup.py which is ignored by git, e.g. supersecretstoragecredentials_local.ini.

As kan pointed out, these two solutions are similar but not entirely the same, workflow-wise.

are there any other alternatives? Does git possess some kind of functionality to assist with this kind issues?

like image 762
joar Avatar asked Nov 29 '11 10:11

joar

People also ask

How You Can Prevent committing secrets and credentials into Git repositories?

git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. If a commit, commit message, or any commit in a --no-ff merge history matches one of your configured prohibited regular expression patterns, then the commit is rejected.

Is it safe to store secrets in GitHub?

GitHub uses a libsodium sealed box to help ensure that secrets are encrypted before they reach GitHub and remain encrypted until you use them in a workflow. For secrets stored at the organization-level, you can use access policies to control which repositories can use organization secrets.

2 Answers

Check in the supersecretstoragecredentials.ini file with some placeholder values and then

git update-index --assume-unchanged supersecretstoragecredentials.ini

Git will not track future changes to this file.

You can reset this using 

git update-index --no-assume-unchanged supersecretstoragecredentials.ini
like image 107
dexter Avatar answered Oct 15 '22 05:10

dexter

What you are describing in Option 1 is basically covered by the smudge step of a content filter driver.

filter driver

You have the two options presented in the "How to work on a drop-in library?" question.

the smudge script would take your supersecretstoragecredentials.ini-example (versioned), copy it as a supersecretstoragecredentials.ini (not versioned, ignored by Git), and fill its values from another source.

But beside the technical aspect of how you will implement your policy, the main measure is to make sure your secret values aren't store in a Git repo at all, but are comming from another referential.

like image 5
VonC Avatar answered Oct 15 '22 05:10

VonC
Sign in to Comment

Related questions

User Input to Bash Alias?
Can't checkout git branch started with hyphen (-)
TeamCity and git repository with Visual Studio Team Services
Create patch and apply patch in SmartGit
What does peel mean in Git?
How do I resolve conflicts with Git?
Get Travis Shield on Github to Reflect Selected Branch Status
Git apply three-way error "repository lacks the necessary blob to fall back on 3-way merge."
Git Bash is displaying strange characters on Windows 7 [closed]
I cannot ignore pycache and db.sqlite on Django even though it refers them at .gitignore
git add * does not add deleted files
Git stash error "Cannot save the current status"
`.gitignore` for an Ionic project with Android target
Can't Push After git reset --soft HEAD^
GIt integration for Coda app [closed]
Removing duplicate db migrations from git repository
Convert Git Repo to Darcs
Git + Rails: How to restore files deleted with "git rm -r"?
Rebasing everyone onto changed git history after filter-branch
How do I Add a A Package To Buildroot Which Is Available In A Git Repository?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!