Skip to content

I posted my password / API key on GitHub

New Course Coming Soon:

Get Really Good at Git

Or GitLab, or any other public source control management platform. Now what?

I stumbled on a website that continuously scans GitHub, GitLab and BitBucket, the 3 most common places to host source code publicly, and shows you committed SSH passwords, API keys for common services, databases and so on.

Image of passwords

It’s scary, right?

Raise your hand if it never happened to you. We can make mistakes. And when this happens, there’s no other way than quickly invalidating the password or API key that was exposed to the public.

For people new to Git: you can’t just rollback the commit, because it will still be kept in the history of the repository.

Your reputation, the reputation of your project, the security of your users is at stake.

After you fix the emergency, the issue is: how to prevent the problem? What’s the answer? What’s the solution that can help us avoid commit secrets to a publicly available Git repository?

The answer is: workflow and tooling.

First, never add your API keys or passwords inside source code. They can hide in there, quietly. Instead, always add them to a .env file in the project root folder, and add .env to your .gitignore file, so it will never be committed. Use a tool like dotenv to access them.

Use git-secrets, a tool that will help you avoid committing secrets to Git.

In macOS you install it using Homebrew:

brew install git-secrets

then go inside the repository you want to activate it on, and run

git secrets --install

to install the Git pre-commit hook. This will ensure the tool runs before Git makes the commit to the repo.

If you use Amazon Web Services (AWS), run this command to add the set of patterns used by that services credentials:

git secrets --register-aws

You can immediately scan for issues using

git secrets --scan

Ideally the tool should not print anything. But if you have issues, it will give you plenty of details.

Are you intimidated by Git? Can’t figure out merge vs rebase? Are you afraid of screwing up something any time you have to do something in Git? Do you rely on ChatGPT or random people’s answer on StackOverflow to fix your problems? Your coworkers are tired of explaining Git to you all the time? Git is something we all need to use, but few of us really master it. I created this course to improve your Git (and GitHub) knowledge at a radical level. A course that helps you feel less frustrated with Git. Launching May 21, 2024. Join the waiting list!
→ Read my full Git Tutorial on THE VALLEY OF CODE!

Here is how can I help you: