←back to thread

I scanned all of GitHub's "oops commits" for leaked secrets

(trufflesecurity.com)
199 points elza_1111 | 6 comments | 03 Jul 25 06:44 UTC | HN request time: 0.909s | source | bottom
Show context
edverma2 ◴[03 Jul 25 07:48 UTC] No.44452644[source]
All devs should run open-source trufflehog as a precommit hook for all repositories on their local system. It’s not a foolproof solution, but it’s a small time investment to get set up and gives me reasonable assurance that I will not accidentally commit a secret. I’m unsure why this is not more widely considered standard practice.
replies(2): >>44452810 #>>44452859 #
1. Cthulhu_ ◴[03 Jul 25 08:16 UTC] No.44452810[source]
Pre-commit hooks are client-side only and opt-in; I've always been a big proponent of pre-commit hooks, as the sooner you find an issue the cheaper it is to fix, but over time pre-commit hooks that e.g. run unit tests tend to take longer and longer, and some people want to do rapid-fire commits instead of being a bit more thoughtful about it.
replies(4): >>44452889 #>>44452899 #>>44453352 #>>44456867 #
2. bapak ◴[03 Jul 25 08:29 UTC] No.44452889[source]
pre-commits require discipline:

- enforce them on CI too; not useful for secrets but at least you're eventually alerted

- do not run tasks that take more than a second; I do not want my commit commands to not be instant.

- do not prevent bad code from being committed, just enforce formatting; running tests on pre-commit is ridiculous, imagine Word stopping you from saving a file until you fixed all your misspellings.

3. ali_piccioni ◴[03 Jul 25 08:32 UTC] No.44452899[source]
I moved all my precommit hooks to prepush hooks. I don’t need a spellchecker disrupting my headspace when I’m deep into a problem.

My developer environments are setup to reproduce CI test locally, but if I need to resort to “CI driven development” I can bypass prepush hooks with —-no-verify.

replies(1): >>44457165 #
4. emmelaich ◴[03 Jul 25 09:50 UTC] No.44453352[source]
One good (and obviously bad) thing about Subversion was the ability to change history. As admin I was asked numerous times to change a commit message. To point to the correct Jira issue, for instance.

Also easier to enforce pre-commit, since it was done server side.

5. SAI_Peregrinus ◴[03 Jul 25 16:41 UTC] No.44456867[source]
A CI system can run the precommit hooks, and fail if any files are changed or the hooks don't exit successfully.
6. pxc ◴[03 Jul 25 17:11 UTC] No.44457165[source]
CI driven development results in so many shitty commits, though, and it's so slow. I find it very miserable.

Pre-commit hooks should be much, much faster than most CI jobs; they should collectively run in less than a second if possible.