gds-pre-commit is a tool for preventing secrets being committed to git. It is based on Yelp’s detect-secrets (https://github.com/Yelp/detect-secrets) project.
If the tool detects that a git commit is being made in an alphagov repository, it scans the contents of the commit to see if contains anything that looks sensitive, like an SSH key, an AWS key or an API token. If it detects something that looks like a “secret”, it prevents the commit from going through; otherwise everything works as normal.
First ensure you have Python 3 and pip installed. On mac, run
brew install python; on ubuntu, run apt-get install python3-pip.
If you are happy with the default location, run the following two commands to install:
The script installs the hook config to your global git config and reports
your registration to us.
git clone https://github.com/alphagov/gds-pre-commit.git ~/.gds-pre-commit/~/.gds-pre-commit/install.pyOnce you've run the above commands the pre-commit framework will be installed with the detect-secrets plugin added to its config globally for git.
- Python 2 or 3 with pip
- Python 3
The pre-commit framework is installed by pip, the Python package manager. To install it on your machine either brew install it or get it from your distributions package manager (it might be called python3-pip, or pip3)
Initially the goal of registration is to enable us to get an idea of coverage. Registration gives us coverage of the alphagov membership. We can then get coverage of (active) alphagov repositories by looking for the baseline file.
Neither of those on their own give us a good idea of how many commits are being made against alphagov without protection so hopefully in time we can actually report by commit with another hook.