Preventing Leaked Azure Secrets in GitHub!
Published May 18 2020 11:23 AM 7,452 Views

Hello Everyone! Today I would like to share with you a very important security topic. Did you ever push password or secrets creds to GitHub by accident? Did you ever wish if there is a way to block your commit or warning you that there are sensitive creds in your code?


Today many developers and Open-Source communities use GitHub to collaborate and store their code. There are many security best practice articles already published and we can find it easy by any search engine. I am not going to talk about best practice today.


I would like to talk about a specific case scenario. Assuming as a developer and you structure your .gitignore and your code and everything looks great however maybe by an accident an important file with Azure creds was saved or placed in your repo and You are not aware of the file is there. You may think it is not real scenario or it is difficult to happen. In this case you maybe interested to read this article


Now since the .gitignore file does not know about it, this sensitive file will sneak into your public repo during the commit and push process.  Or Maybe to you missed structuring .gitignore and now your local.settings.json, .env that contains hardcoded secrets creds will be pushed to your rep. Would be nice if git warns you before you do commit?


I would introduce git-secrets, It is an open-source project that helps to prevent you from committing passwords and other sensitive information into git repo. The plugin supports Azure, AWS, and GCP.

git-secrets scans commit, to prevent adding secrets into your git repositories. If a commit, commit message, or any commit in a --no-ff merge history matches one of your configured prohibited regular expression patterns, then the commit is rejected.


Installing git-secrets

git-secrets must be placed somewhere in your PATH so that it is picked up by git when running git secrets.

*nix (Linux/macOS)

You can use the install target of the provided Makefile to install git secrets and the man page. You can customize the install path using the PREFIX and MANPREFIX variables.




make install








PS > ./install.ps1




Homebrew (for macOS users)




brew install git-secrets




Installing git hooks

You MUST install the git hooks for every repo that you wish to use with git secrets --install.

Here's a quick example of how to register Azure provider:




cd /path/to/my/repo
git secrets --install
git secrets --register-azure




You can also install another provider like AWS and GPC




cd /path/to/my/repo
git secrets --install
git secrets --register-aws
git secrets --register-gcp




Before making public a repository 

With git-secrets is also possible to scan a repository including all revisions:




git secrets --scan-history





Let assume we have repo and it has sensitive creds and  we are going to commit it. Let's see what will happen when we use git-secrets hook.




C:\github\my_app>git add .

C:\github\my_app>git commit -m "adding plugin"
src/       ='4cbcc7d8-094d-4006-1049-0d11d61f484d' 
src/          ='89f62c1d-cabf-4372-b217-7f3dd31f55fb'
src/ ='99d8e999-a50c-43ab-a03a-e3a8280d0000'
src/ '-----BEGIN RSA PRIVATE KEY-----'
src/ '-----BEGIN EC PRIVATE KEY-----'
src/ '-----BEGIN DSA PRIVATE KEY-----'
src/ '-----BEGIN PGP PRIVATE KEY-----'
src/ = ""
src/ = ''
src/ = ''
src/ = ''
src/ = ''
src/ = ''
src/ = ''
src/ = ''
src/ = ''
src/ =''
src/ ='Dl2~.?@#$%^&*_!+=[]{}|\:n()/,`;"'
src/ ='Bf[]tvS1C|-w=k./@A/&h:R/0!@yJLu#'
src/          "102a3be2-3a83-423a-a724-12d63eb47288",
src/          "20c843c0-6aac-4f11-9bc2-06220720d699"

[ERROR] Matched one or more prohibited patterns

Possible mitigations:
- Mark false positives as allowed using: git config --add secrets.allowed ...
- Mark false positives as allowed by adding regular expressions to .gitallowed at repository's root directory
- List your configured patterns: git config --get-all secrets.patterns
- List your configured allowed patterns: git config --get-all secrets.allowed
- List your configured allowed patterns in .gitallowed at repository's root directory
- Use --no-verify if this is a one-time false positive




As you see, the plugin scanned the code and found many sensitive creds patterns that is hardcoded like Tenant_ID, SubscriptionID, ClientID, Client key, Private Certs, Azure services endpoint for blob, table, SAS token..etc

Fantasics!!!! Now we have chance to review our code again and make the necessary change to keep our creds safe and secure and our code clean.



Using git-secrets hook is the first line of defense against leaking sensitive creds into the github

If you would like to know more about the tool please visit my repo git-secrets

1 Comment
Version history
Last update:
‎May 18 2020 12:16 PM
Updated by: