This project includes a comprehensive pre-commit hook to prevent secrets from being accidentally committed to the repository.
# Install the pre-commit hook
./scripts/setup-git-hooks.sh- API Keys: Groq, OpenAI, Anthropic, Google, AWS
- Tokens: GitHub, JWT, Slack, Discord, Stripe, PayPal
- Credentials: Passwords, database URLs, email credentials
- Private Keys: SSH keys, SSL certificates, PGP keys
- Sensitive Files: .env, config.json, credentials.json
- Format Checking: .env file format validation
- JSON Validation: Syntax checking for JSON files
- Hardcoded URLs: Detection of localhost and IP addresses
- Security TODOs: Flags security-related TODO/FIXME comments
- Critical: Blocks commit immediately (API keys, passwords)
- Warning: Shows warnings but allows commit (localhost URLs)
- Info: Provides suggestions (.gitignore improvements)
If the setup script doesn't work, install manually:
# Copy the hook
cp scripts/pre-commit-hook.sh .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit
# Test the hook
.git/hooks/pre-commit --testgit commit --no-verify# β
Good - Use .env file
GROQ_API_KEY=<your-api-key>
SECRET_KEY=<your-secret>
# β Bad - Hardcoded in code
api_key = "gsk_" + "NEVER_HARDCODE_KEYS"# β
Good - Environment variables
import os
api_key = os.environ.get('GROQ_API_KEY')
# β Bad - Hardcoded secrets
api_key = "gsk_" + "EXAMPLE_NEVER_USE_THIS"// β
Good - Environment variables (server-side)
const apiKey = process.env.GROQ_API_KEY;
// β Bad - Hardcoded secrets
const apiKey = "gsk_" + "NEVER_HARDCODE_IN_JS";| Type | Pattern | Example |
|---|---|---|
| Groq API Keys | gsk_[a-zA-Z0-9]{48,} |
gsk_1234... |
| OpenAI API Keys | sk-[a-zA-Z0-9]{48,} |
sk-1234... |
| AWS Access Keys | AKIA[0-9A-Z]{16} |
AKIA1234... |
| GitHub Tokens | gh[pousr]_[A-Za-z0-9_]{36,255} |
ghp_1234... |
| JWT Tokens | eyJ[a-zA-Z0-9_-]*\..* |
eyJ1234... |
| Private Keys | SSH/SSL key patterns | Private key files |
If the hook incorrectly flags legitimate content:
- Check the pattern: Is it actually a secret?
- Add to exclusions: Modify the hook to exclude specific patterns
- Use placeholders: Replace with
YOUR_API_KEY_HEREin examples
# Check if hook is executable
ls -la .git/hooks/pre-commit
# Make executable if needed
chmod +x .git/hooks/pre-commit
# Test manually
.git/hooks/pre-commit# Check git config
git config --get core.hooksPath
# Enable hooks (if disabled)
git config --unset core.hooksPath# Set proper permissions on .env files
chmod 600 .env
# Never commit .env files
echo ".env" >> .gitignore- Use environment variables for all secrets
- Enable HTTPS in production
- Implement rate limiting
- Use secure session cookies
- Validate all user inputs
- Keep dependencies updated
- Use different API keys for development/production
- Rotate API keys regularly
- Monitor API usage for anomalies
- Use least-privilege access principles
If secrets are accidentally committed:
-
Immediate Actions:
# Remove from history (if recent) git reset --soft HEAD~1 git reset HEAD . # Or rewrite history (dangerous) git filter-branch --force --index-filter \ 'git rm --cached --ignore-unmatch path/to/secret/file' \ --prune-empty --tag-name-filter cat -- --all
-
Rotate Compromised Secrets:
- Generate new API keys immediately
- Update all environments with new keys
- Revoke old keys from provider dashboards
-
Verify Clean History:
# Check git history for secrets git log --all --full-history -- path/to/secret/file
For security-related issues:
- Create a private GitHub issue
- Email: security@yourproject.com
- Follow responsible disclosure practices
Remember: Security is everyone's responsibility! π‘οΈ