HOWTO: Prevent your AWS credentials and other secrets from being exposed in code repositories

Uber had AWS credentials exposed on GitHub. As thousands of other companies do. It has been known for a while that nuggets such as private keys and credentials can be found with the GitHub search functionality or with Google dorks so looking for sensitive information in GitHub repositories is not new.

So how can you protect your company’s assets?

Check your repositories now

There is a great tool that you should use to check for any secrets exposed in your private and public code repositories. It is Gitrob developed by Michael Henriksen from the SoundCloud security team.

Gitrob helps organizations find sensitive information lingering in publicly available files on GitHub. This command line tool goes through all public organization and member repositories and matches filenames against a range of patterns for files that typically contain sensitive or dangerous information.

It is a good idea to schedule this kind of a scan on a continuous basis.

Gitrob (https://github.com/michenriksen/gitrob)

Prevent secrets from being committed to the repos

Once the repos are checked, have a look at git-secrets* to prevent your developers from committing sensitive information such as passwords to your code in the first place.

git-secrets is developed by Michael Dowling from AWS team.

git-secrets scans commits, commit messages, and — no-ff merges to prevent adding secrets into your git repositories. If a commit, commit message, or any commit in a — no-ff merge history matches one of your configured prohibited regular expression patterns, then the commit is rejected.

git-secrets (https://github.com/awslabs/git-secrets)