Zack Proser

ggshield can save you from yourself. Never accidentally commit secrets again

ggshield can save you from yourself. Never accidentally commit secrets again
A developer watching the API key they accidentally committed to GitHub migrating throughout the internet - thinking of the Slack messages they're about to have to send...

Committing a secret, like an API key or service token, to version control is a painful mistake, which I've done myself and seen plenty of others do, too. Fixing it usually involves at least some degree of emotional pain - you need to announce the incident and work whatever incident process your organization might have.

You may need to ask others for assistance, either in generating a new secret or helping you rotate the compromised one if you don't have sufficient access yourself.

Engineers from multiple teams attempting to remove a secret from Git history
Engineers from the Ops, API and frontend teams attempting to excise an exposed secret from Git history, while the director of engineering sobs in the background

Depending on the size of your org, this could involve filing some tickets, starting a couple of different conversations, pulling other colleagues off what they were focusing on, etc.

It sucks - and it's worth investing in a process that can help you by preventing you from committing anything that looks like a secret in the first place.

ggshield is an amazing tool from GitGuardian

GitGuardian

You may have heard of GitGuardian - a service that runs against public GitHub repositories, scans them for secrets (API keys, tokens, passwords, etc) which may have been accidentally committed, and then emails you an alert and some helpful tips on remediating the issue.

I was delighted to discover they also have a command line interface (CLI) that anyone can use to scan their local working directory to ensure no secrets are hardcoded or otherwise exposed.

Even more powerfully, you can integrate ggshield with a git pre-commit hook in order to ensure that every single time you attempt to commit code from your machine, you automatically get a sanity check ensuring you're not about to leak something sensitive.

What does it look like when ggshield saves your ass?

ggshield finding a secret

Here's a screenshot of a test I ran against a local repository. First, I used openssl to generate a certificate that was just sitting in my local repository. I then ran ggshield secret scan repo, and the tool correctly found my secret, before I committed it and ruined everyone's day.

It's even better when combined with git hooks

Git hooks allow you to "hook" into different git lifecycle events in order to run your own code. For example, the pre-commit hook allows you to run your own code before you create a new git commit.

This is the perfect place to scan for secrets, and ggshield supports this workflow out of the box. GitGuardian has great documentation for all the ways you can use ggshield alongside git hooks, but I personally wanted to run it as a global pre-commit hook.

This means that for any and every repository I'm working with, ggshield will scan my local git changes for secrets. This is a nice way to automate away needing to worry about letting a random token or certificate slip through when you're in a hurry.

Of course it's critical to perform code reviews, and ask your team for a second set of eyes to ensure you're keeping your secrets out of version control, but having this extra layer of automated scanning works very well in concert with these other best practices.

ggshield preventing a secret from escaping
ggshield preventing a secret from escaping