So, you’ve inadvertently posted your password or API key on a public source control management platform like GitHub, GitLab, or BitBucket. Don’t panic! We’ve all been there. The important thing now is to take immediate action to protect your sensitive information and minimize the potential risks. Here’s what you can do:
1. Invalidate the Exposed Password or API Key
The first step is to quickly invalidate the password or API key that was compromised. By doing so, you can prevent unauthorized access to your accounts or systems.
2. Understand the Limitations of Version Control
Rolling back a commit won’t solve the problem entirely since the exposed information will still exist in the repository’s history. Therefore, it’s important to focus on preventing such incidents in the first place.
3. Adopt a Proper Workflow and Tooling
Implementing a correct workflow and utilizing appropriate tools can greatly reduce the risk of committing secrets to publicly available Git repositories. Here are a few recommendations:
Avoid Including Secrets in Source Code
Never add API keys or passwords directly to your source code. These sensitive credentials can easily go unnoticed and become a potential security vulnerability. Instead, store them in a separate .env file located in the root folder of your project. Make sure to add .env to your .gitignore file to ensure it’s never accidentally committed or exposed.
Leverage Dotenv
Consider using a tool like dotenv to access the credentials stored in your .env file. Dotenv allows you to load environment variables from a file, making it easy to manage and securely access any secrets your project relies on.
Utilize git-secrets
To further enhance security, utilize a tool called git-secrets. This tool actively helps you avoid committing secrets to your Git repositories. Here’s how to set it up:
If you’re using macOS, install git-secrets using Homebrew:
brew install git-secrets
Navigate to the repository you want to activate git-secrets on, and run:
git secrets --install
This will install the Git pre-commit hook, ensuring that git-secrets runs before any commits are made to the repository.
For AWS users specifically, run the following command to register the set of patterns used by AWS credentials:
git secrets --register-aws
To immediately scan for any potential issues, use the following command:
git secrets --scan
In an ideal scenario, the tool won’t display any output. However, if there are any issues detected, git-secrets will provide detailed information to help you address them effectively.
By following these best practices and utilizing the recommended tools, you can significantly improve your chances of preventing accidental exposure of passwords and API keys on popular Git platforms. Put these measures in place to safeguard both your reputation and the security of your users.