Ensure you have the pre-commit framework set up first:
pre-commit --version(to check whether it's installed)brew install pre-commitcd <project repo root>pre-commit install
Make sure to copy the nhd-git-secrets folder into the root of the project repository, and then navigate the terminal to the repo root
cd nhsd-git-secretscp git-secrets ..cp .gitallowed-base ../.gitallowed
Then if you don't have an existing .pre-commit-config.yaml in the root of your repo:
cp .pre-commit-config.example.yaml ../.pre-commit-config.yaml
Otherwise integrate the git-secrets example config into your existing file.
Then:
cd ..pre-commit installgit add .pre-commit-config.yaml
Next time you do a commit the git secrets hook should be invoked.
- Add individual regex expressions to nhsd-rules.txt
- Add regex rules files within wrapper.sh e.g.
git secrets --add-provider -- cat git-secrets/nhsd-rules.txt
-
Add file/dir excludes within .gitallowed, e.g.
.*terraform.tfstate.*:* -
Control full scan vs staged files scan within wrapper.sh by commenting/uncommenting the mode to run e.g.:
# Just scan the files changed in this commit
# git secrets --pre_commit_hook
# Scan all files within this repo for this commit
git secrets --scan
- make sure you have done git add if you have changed anything within git-Secrets
- Run:
pre-commit run git-secrets
Alternatively, you might find this dockerfile convenient, which:
- Copies your source code into a docker image
- Downloads latest version of the secret scanner tool
- Downloads latest regex patterns from software-engineering-quality-framework
- Runs a scan