Prevents committing passwords and sensitive information to git repositories using pattern matching and hooks
git-secrets is a git plugin that scans commits, commit messages, and merge histories to prevent sensitive information from being committed to repositories. It uses configurable regular expression patterns to detect prohibited content like passwords, API keys, and other credentials before they enter the git history.
The tool operates through git hooks (pre-commit, commit-msg, and prepare-commit-msg) that automatically scan content during the commit process. When prohibited patterns are detected, the commit is rejected. It includes built-in AWS credential detection patterns and can scan for AWS Access Key IDs, Secret Access Keys, and account IDs. Users can also define custom patterns and secret providers for organization-specific credential formats.
Developers working with cloud services, DevOps teams, and security-conscious organizations would use git-secrets to add an automated layer of protection against credential leaks. The tool supports scanning entire repository histories with git secrets --scan-history, making it useful for auditing existing codebases before making repositories public. It can be configured globally to automatically protect all new repositories or applied selectively to specific projects.
# via Homebrew
brew install git-secrets
# via Make
make install