DEV Community

Cover image for Do Not Commit Secrets!
The Latino CTO
The Latino CTO

Posted on

Do Not Commit Secrets!

Picture this: every team I've had the pleasure (or sometimes, the pain) of working with has had one thing in common – someone, somewhere, committing secrets to Git.

In my recent adventures as a Technical Lead, CTO, and all-around code wizard, I've witnessed firsthand the struggles of distinguishing between public and private keys. And you know what's even trickier? Accidentally spilling those private keys and secrets onto Git for all to see. It's like leaving your front door wide open in the middle of the night and wondering why your house got burgled.

I've seen .env files with more secrets than my ex-wife and Axios requests spilling the beans on sensitive credentials.

Now, you might be thinking, "What's the harm? Can't we just commit another version without the credentials?" Ah, if only it were that simple.

Well, let's conduct a little experiment, shall we? Create a local Git repository (assuming Git is already in your system)



raul@mbp:~|⇒  mkdir fake-git-repo
raul@mbp:~|⇒  cd fake-git-repo
raul@mbp:~/fake-git-repo|⇒  git init
Initialized empty Git repository in /Users/raul/fake-git-repo/.git/
raul@mbp:~/fake-git-repo|master ⇒  touch .env


Enter fullscreen mode Exit fullscreen mode
  • Add some super secret values to the .env file ```

raul@mbp:~/fake-git-repo|master ⇒ vi .env


Add something like this:
Enter fullscreen mode Exit fullscreen mode

AWS_ACCESS_KEY_ID = 'AKJEGCKAQNSGFN2N68''
AWS_SECRET_ACCESS_KEY = 'mC4gRDpo/o+M1uOfTWgdfgqMqYe38eGmt'
~
~
~
:wq


Save the changes by typing `wq` (write and quit)

- Now commit those changes! although, you shouldn't!

Enter fullscreen mode Exit fullscreen mode

raul@mbp:~/fake-git-repo|master⚡ ⇒ git add .
raul@mbp:~/fake-git-repo|master⚡ ⇒ git commit -m "let's commit something we shouldn't commit"
[master (root-commit) 2be5583] let's commit something we shouldn't commit
1 file changed, 2 insertions(+)
create mode 100644 .env


- Now, for the sake of the story, let's assume you follow a Code Review procedure and someone caught you committing these secrets. They told you it's not safe. You immediately said, "OK! I'll remove them," so you go to `vi`, remove those values from the file, and commit again without the secrets.


Enter fullscreen mode Exit fullscreen mode

AWS_ACCESS_KEY_ID =
AWS_SECRET_ACCESS_KEY =
~
~
~
:wq


- Let's use `git` to double-check our changes before commit

Enter fullscreen mode Exit fullscreen mode

diff --git a/.env b/.env
index 90912b1..3c569d6 100644
--- a/.env
+++ b/.env
@@ -1,2 +1,2 @@
-AWS_ACCESS_KEY_ID = 'AKJEGCKAQNSGFN2N68''
-AWS_SECRET_ACCESS_KEY = 'mC4gRDpo/o+M1uOfTWgdfgqMqYe38eGmt'
+AWS_ACCESS_KEY_ID =
+AWS_SECRET_ACCESS_KEY =


If you pay attention, the lines with a `-` are the ones deleted, and the ones with `+` are the added ones. So we're all good! We removed the values of our super secrets! Yay!

Now, commit the safer .env file.

Enter fullscreen mode Exit fullscreen mode

raul@mbp:~/fake-git-repo|master⚡ ⇒ git commit -a -m 'removes secrets'
[master 61a83f4] removes secrets
1 file changed, 2 insertions(+), 2 deletions(-)


If you open the file now, secrets are no longer there
Enter fullscreen mode Exit fullscreen mode

raul@mbp:~/fake-git-repo|master ⇒ cat .env
AWS_ACCESS_KEY_ID =
AWS_SECRET_ACCESS_KEY =


### You're Wrong!

You might believe you're all safe now. But the whole purpose of Git is to keep track of changes and allow us to go back in the history of our files if necessary. Let's investigate the history of our `fake-repository` and `.env` file.

- Use `git log -p -2`.
  - `-p` means patch, and when used along with log, it will show what changed (removed, added, modified).
  - `-2` tells the log to show the latest 2 commits.


Enter fullscreen mode Exit fullscreen mode

commit 61a83f419b174f0750d7dab56c9e0469b0c27784 (HEAD -> master)
Date: Fri Feb 16 20:57:26 2024 +1300

removes secrets
Enter fullscreen mode Exit fullscreen mode

diff --git a/.env b/.env
index 90912b1..3c569d6 100644
--- a/.env
+++ b/.env
@@ -1,2 +1,2 @@
-AWS_ACCESS_KEY_ID = 'AKJEGCKAQNSGFN2N68''
-AWS_SECRET_ACCESS_KEY = 'mC4gRDpo/o+M1uOfTWgdfgqMqYe38eGmt'
+AWS_ACCESS_KEY_ID =
+AWS_SECRET_ACCESS_KEY =

commit 2be5583e6c94c7b70e0f4232fea5ff1fb13603a8
Date: Fri Feb 16 20:46:59 2024 +1300

let's commit something we shouldn't commit
Enter fullscreen mode Exit fullscreen mode

If you take a deep look, `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` appear twice. But one with a `-` and another with a `+`, meaning that the line with `-` was removed and the one with `+` was added.

So, we could see what was the old value (with our secrets) which we thought we safely removed from the public!

Now, you might ask...why do I care so much about this?


### Real-Life Example from GitHub

If the previous example doesn't seem scary, let's head over to `github.com` and see if secrets are being leaked or not, and why we should be worried.

Here's a direct link for you to search for commits on GitHub public repositories:

[https://github.com/search?q=remove+secrets&type=commits](https://github.com/search?q=remove+secrets&type=commits) 

You'll see a lot of repositories with commits named `remove secrets`


![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/bxbbspc357f0mlygsrxz.png)

If you click on some of them, you might be able to see files like this:


![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/aymqcdm0j28gbko3fuu9.png)

That's actually `google cloud computing secrets! I blurred the values, and I hope this person already rotated this certificate or they could be in serious problems having people accessing their Google Cloud services and probably incurring charges.

Look at this other example where someone tried to remove AWS secrets, MySQL DB connection strings, etc.

![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/l50wy58jro6rg3yfav7e.png)

## Summary

I hope this helps people understand why there's a Tech Lead, Senior Dev, etc., asking you not to commit secrets.

I've come to realize we usually tell others what not to do without giving a reason of why it shouldn't be done.

Hopefully, this blog will help me too, to teach some of the developers I work with. And if in the meantime, someone else can learn something, well, you're welcome!









Enter fullscreen mode Exit fullscreen mode

Top comments (0)