←back to thread

I scanned all of GitHub's "oops commits" for leaked secrets

(trufflesecurity.com)
199 points elza_1111 | 1 comments | 03 Jul 25 06:44 UTC | HN request time: 0.306s | source
Show context
edverma2 ◴[03 Jul 25 07:48 UTC] No.44452644[source]
All devs should run open-source trufflehog as a precommit hook for all repositories on their local system. It’s not a foolproof solution, but it’s a small time investment to get set up and gives me reasonable assurance that I will not accidentally commit a secret. I’m unsure why this is not more widely considered standard practice.
replies(2): >>44452810 #>>44452859 #
Cthulhu_ ◴[03 Jul 25 08:16 UTC] No.44452810[source]
Pre-commit hooks are client-side only and opt-in; I've always been a big proponent of pre-commit hooks, as the sooner you find an issue the cheaper it is to fix, but over time pre-commit hooks that e.g. run unit tests tend to take longer and longer, and some people want to do rapid-fire commits instead of being a bit more thoughtful about it.
replies(4): >>44452889 #>>44452899 #>>44453352 #>>44456867 #
1. emmelaich ◴[03 Jul 25 09:50 UTC] No.44453352[source]
One good (and obviously bad) thing about Subversion was the ability to change history. As admin I was asked numerous times to change a commit message. To point to the correct Jira issue, for instance.

Also easier to enforce pre-commit, since it was done server side.