git-secrets
gitignore
git-secrets | gitignore | |
---|---|---|
32 | 285 | |
12,026 | 157,882 | |
0.6% | 0.7% | |
1.0 | 0.0 | |
20 days ago | 5 days ago | |
Shell | ||
Apache License 2.0 | Creative Commons Zero v1.0 Universal |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
git-secrets
-
Fired for leaked credentials. How do I explain this?
Well, this doesn't really happen at places that don't suck. They had no least privilege access to critical secrets and no processes (like pre-commit hooks using git-secrets) to prevent them being committed.
-
Recovering from Accidentally Pushing Sensitive Information to a Remote Git Repository
# macOS brew install git-secrets # Linux git clone https://github.com/awslabs/git-secrets.git cd git-secrets make install
- Managing secrets like API keys in Python - Why are so many devs still hardcoding secrets?
-
If you pay for an API key depending on the amount of requests, is it safe to push your code to GitHub?
You could use Git hooks to prevent someone from being able to author a commit when you suspect there is a secret being committed. In addition to this, you could also perform this check server-side, in case someone did not run their Git hooks for whatever reason. For example, check out git-secrets.
-
Securing the software supply chain in the cloud
git-secrets
-
How to deal with unintended information leakage when using GitHub as your GIT?
Install git-secrets. Go into each of your repos, scan for past mistakes, and add a git-commit hook:
- GitHub Access Token Exposure
-
Security scanning
I agree that code scanning is really important, the best way to convince others is to identify high-risk threats in source code and present them to the decision-makers. For example, scanning Secrets is great for showing how repositories can be a massive vulnerability and identifying some low-hanging fruit, especially in the git history. Attackers are really after git repository access for this reason and there are plenty of open-source or free tools that you can use to illustrate the problem. Git-Secrets, Truffle Hog. These aren't great for a long-term commercial solution, something like GitGuardian is a better commercial tool but if the goal is just to illustrate the problem then finding some high-value secrets with free tools is a good way to convince the security personnel to invest in some solutions. Then the door is open to having more conversations as you have already proven the risk.
-
Toyota Accidently Exposed a Secret Key Publicly on GitHub for Five Years
I worked for a big startup last year and was on a contract deadline for integrating a vendor framework into a React Native app.
It was taking too long to get a new temp demo license key and GitHub search with clever filters helped me track down a demo key that was recently uploaded to a test repo.
This is also why I use git-secrets in my repos.
https://github.com/awslabs/git-secrets
-
Marking findings as FPs in recurring scans
Under the covers, it is simply looking up an 'ignore' list stored in YML during each scan. If you are building your own, you might also want to see how AWS Labs is doing it in their solution git secrets.
gitignore
-
Streamlining Software Development: The Power of .gitignore Templates
In conclusion, the Gitignore repository stands as a testament to the power of collective knowledge and collaboration in software development. By providing a centralized repository of .gitignore templates, it empowers developers to streamline their workflow, maintain cleaner repositories, and focus on what they do best – writing exceptional code. As the software development landscape continues to evolve, the significance of .gitignore templates as indispensable tools for developers is set to endure.
-
Release 0.12.0 of stevedore - minor feature enhancement
The challenge here was actually from my #48in28 Exercism participation, where I am pretty familiar the standard layout for some repositories since I am familiar with tooling and language, working with new languages does not come with the same familiarity, so I found it made sense to use canonical definitions, hence the use of github/gitignore.
-
How to Use Environment Variables in Node.js
Add .env to your .gitignore file to prevent it from being committed. Here's an example file with it already added. You may also use dotenv for advanced configuration and it will automatically load environment variables from a .env file into process.env.
-
Git Lesson: How to Use .gitignore and .gitkeep?
Here you can find ready-made .gitignore templates for various technologies and languages such as Python, Java, Kotlin, Go, and many others: https://github.com/github/gitignore/tree/main.
-
New to Git/GitHub/Terraform, some questions about Terraform and pushing to GitHub
You could also use this git ignore template. Create you .gitignore and add the contents from that file in.
-
Is there a free way to use unity for creating group projects?
I've only used free Unity with GitHub or GitLab, professionally and reaching back into internships. One recommendation would be to use a slightly longer .gitignore than the default, like this one.
-
Basic Python Project Layout
Virtual Environments are a feature that has been part of python itself since version 3.3. It allows you to isolate both a python version and any packages you install with it. Every python project I develop with uses a virtual environment for such isolation purposes. Now I generally like to create these virtual environments inside the target project's directory so I know exactly what it's tied to. If you use GitHub's python gitignore file naming the virtual environment folder as venv or .venv will ensure it doesn't get committed (which you don't want). So I'll make a new project folder and create a virtual environment inside of it:
-
Node.js 20.6.0 will include built-in support for .env files
Especially considering the GitHub .gitignore template for Node only ignores .env.local, not .local.env: https://github.com/github/gitignore/blob/main/Node.gitignore...
- Where can I find common .gitignores for C# Web API projects?
-
Unable to push to github via github desktop. I added it to GitIgnore and it yielded another issue
# Get latest from https://github.com/github/gitignore/blob/main/Unity.gitignore
What are some alternatives?
trufflehog - Find and verify secrets
terragrunt - Terragrunt is a thin wrapper for Terraform that provides extra tools for working with multiple Terraform modules.
gitleaks - Protect and discover secrets using Gitleaks 🔑
git-lfs - Git extension for versioning large files
secretlint - Pluggable linting tool to prevent committing credential.
bfg-repo-cleaner - Removes large or troublesome blobs like git-filter-branch does, but faster. And written in Scala
shhgit - Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories.
gitlab
aws-vault - A vault for securely storing and accessing AWS credentials in development environments
parcel - The zero configuration build tool for the web. 📦🚀
SecretFinder - SecretFinder - A python script for find sensitive data (apikeys, accesstoken,jwt,..) and search anything on javascript files
gitignore.plugin.zsh - ZSH plugin for creating .gitignore files.