Git hook tool that prevents committing passwords and sensitive information to repositories using pattern matching
git-secrets is a Git hook system that prevents sensitive information like passwords, API keys, and credentials from being committed to repositories. It works by scanning commits, commit messages, and merge histories against configurable regular expression patterns, rejecting commits that match prohibited patterns.
The tool integrates directly with Git's hook system, installing pre-commit, commit-msg, and prepare-commit-msg hooks that automatically scan changes before they're committed. It includes built-in AWS credential detection patterns via git secrets --register-aws, which adds regex patterns for AWS Access Key IDs, Secret Access Keys, and account IDs, while also checking against credentials stored in ~/.aws/credentials.
git-secrets supports both repository-specific and global configuration, allowing teams to establish consistent security policies across all repositories. Users can add custom prohibited patterns, define allowed patterns to filter false positives, and register external secret providers. The tool can scan existing repository history with git secrets --scan-history and supports various scanning modes including cached files, untracked files, and recursive directory scanning.
The tool is primarily used by development teams, DevOps engineers, and security-conscious organizations that need to prevent credential leaks in version control. It requires manual installation of hooks in each repository via git secrets --install, though it can be configured with Git templates to automatically apply to new repositories.
# via Homebrew
brew install git-secrets
# via Make
make install
# via PowerShell
./install.ps1