Preventing Future Leaks
Pre-Commit Strategies
1. Git Hooks Configuration
## Create pre-commit hook script
mkdir -p .git/hooks
touch .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit
2. Pre-Commit Hook Example
#!/bin/bash
## Prevent sensitive data commit
FORBIDDEN_PATTERNS=(
"password="
"secret_key="
"api_token="
)
for pattern in "${FORBIDDEN_PATTERNS[@]}"; do
if git diff --cached | grep -q "$pattern"; then
echo "Error: Sensitive data detected!"
exit 1
fi
done
flowchart TD
A[Leak Prevention Tools] --> B[Local Scanning]
A --> C[CI/CD Integration]
B --> D[Pre-Commit Hooks]
B --> E[Local Scanners]
C --> F[GitHub Actions]
C --> G[GitLab CI]
Tool |
Type |
Features |
Trufflehog |
Scanner |
Deep historical scan |
GitGuardian |
Cloud Service |
Real-time monitoring |
Gitleaks |
Open Source |
Comprehensive scanning |
Configuration Management
Environment Variables
## Use .env.example as template
cp .env.example .env
chmod 600 .env
## Add .env to .gitignore
echo ".env" >> .gitignore
Secret Management Best Practices
- Use environment-specific configurations
- Implement secret rotation
- Use encrypted secret managers
- Limit access to sensitive information
LabEx Security Workflow
## Install git-secrets
git clone https://github.com/awslabs/git-secrets
cd git-secrets
sudo make install
## Configure global git-secrets
git secrets --install ~/.git-templates/git-secrets
git config --global init.templatedir ~/.git-templates/git-secrets
Continuous Monitoring
Automated Scanning Script
#!/bin/bash
## Periodic security scan
REPO_PATH="/path/to/repository"
LOG_FILE="/var/log/git-security-scan.log"
## Run periodic scans
gitleaks detect --source=$REPO_PATH >> $LOG_FILE 2>&1