Separate secret credentials from source code
  • 07 May 2019
  • 1 Minute To Read
  • Contributors
  • Share
  • Dark

Separate secret credentials from source code

  • Share
  • Dark

This rule prevents secret files from being included in the repository by excluding them from the source code.

Secret files, similar to security keys, are sometimes committed to Git. It is bad practice to save secret files inside your repositories. Even if the repositories are private, the files are vulnerable and accessible on the computer itself or the server which holds a copy of the repository locally.

Use case(s)

  • Prevent a security breach by ensuring generated secrets keys are excluded from the source code

When does this rule fail?

When one of the commits in the pull request contains a secret file pattern.


How to fix?

  1. Update the code to pull the secret key from a secret management service, for example Vault
  2. Remove the secret file by using BFG Repo-Cleaner (bgf), and push the new code to the branch:
$ git rm <secret-file-path>
$ bfg --<secret-file-path>
$ git reflog expire --expire=now --all && git gc --prune=now --aggressive
$ git commit -a -m "removed secret file from code"
$ git push
  1. If you are working on the same branch with other teammates - notify them to clean their branches
$ git fetch origin/<branch-name>
$ git checkout -B <branch-name>/branch
  1. Datree's policy check automatically ensures the secret key is removed from the pull request

What's Next

Activate a policy
Was This Article Helpful?