Ensure you have the pre-commit framework set up first.
pre-commit --version(to check whether it's installed)brew install pre-commitcd <project repo root>pre-commit install
Make sure to copy the nhd-git-secrets folder into the root of the project repository, and then navigate the terminal to the repo root
cd nhsd-git-secretscp git-secrets ..cp .gitallowed-base ../.gitallowed
Then if you don't have an existing .pre-commit-config.yaml in the root of your repo:
cp .pre-commit-config.example.yaml ../.pre-commit-config.yaml
Otherwise integrate the git-secrets example config into your existing file.
Then:
cd ..pre-commit installgit add .pre-commit-config.yaml
Next time you do a commit the git secrets hook should be invoked.
- Add individual regex expressions to the existing
repo_root/nhsd-git-secrets-nhsd-rules-deny.txtfile - Or, create your own file for regex rules and add it as a provider within the pre-commit script e.g.:
git secrets --add-provider -- cat git-secrets/nhsd-rules-deny.txt
-
Add file/dir excludes within the
repo_root/.gitallowedfile, e.g..*terraform.tfstate.*:* -
Control full scan vs staged files scan within pre-commit (mac) script by commenting/uncommenting the mode to run e.g.:
# Just scan the files changed in this commit
# git secrets --pre_commit_hook
# Scan all files within this repo for this commit
git secrets --scan- make sure you have done git add if you have changed anything within git-Secrets
- Run:
pre-commit run git-secrets
Alternatively, you might find this dockerfile convenient, which:
- Copies your source code into a docker image
- Downloads latest version of the secret scanner tool
- Downloads latest regex patterns from software-engineering-quality-framework
- Runs a scan