/

Best Practices to Protect Your Passwords and API Keys on Git Platforms

Best Practices to Protect Your Passwords and API Keys on Git Platforms

So, you’ve inadvertently posted your password or API key on a public source control management platform like GitHub, GitLab, or BitBucket. Don’t panic! We’ve all been there. The important thing now is to take immediate action to protect your sensitive information and minimize the potential risks. Here’s what you can do:

1. Invalidate the Exposed Password or API Key

The first step is to quickly invalidate the password or API key that was compromised. By doing so, you can prevent unauthorized access to your accounts or systems.

2. Understand the Limitations of Version Control

Rolling back a commit won’t solve the problem entirely since the exposed information will still exist in the repository’s history. Therefore, it’s important to focus on preventing such incidents in the first place.

3. Adopt a Proper Workflow and Tooling

Implementing a correct workflow and utilizing appropriate tools can greatly reduce the risk of committing secrets to publicly available Git repositories. Here are a few recommendations:

Avoid Including Secrets in Source Code

Never add API keys or passwords directly to your source code. These sensitive credentials can easily go unnoticed and become a potential security vulnerability. Instead, store them in a separate .env file located in the root folder of your project. Make sure to add .env to your .gitignore file to ensure it’s never accidentally committed or exposed.

Leverage Dotenv

Consider using a tool like dotenv to access the credentials stored in your .env file. Dotenv allows you to load environment variables from a file, making it easy to manage and securely access any secrets your project relies on.

Utilize git-secrets

To further enhance security, utilize a tool called git-secrets. This tool actively helps you avoid committing secrets to your Git repositories. Here’s how to set it up:

If you’re using macOS, install git-secrets using Homebrew:

1
brew install git-secrets

Navigate to the repository you want to activate git-secrets on, and run:

1
git secrets --install

This will install the Git pre-commit hook, ensuring that git-secrets runs before any commits are made to the repository.

For AWS users specifically, run the following command to register the set of patterns used by AWS credentials:

1
git secrets --register-aws

To immediately scan for any potential issues, use the following command:

1
git secrets --scan

In an ideal scenario, the tool won’t display any output. However, if there are any issues detected, git-secrets will provide detailed information to help you address them effectively.

By following these best practices and utilizing the recommended tools, you can significantly improve your chances of preventing accidental exposure of passwords and API keys on popular Git platforms. Put these measures in place to safeguard both your reputation and the security of your users.

tags: [“password security”, “API key protection”, “Git best practices”]