Prevent your credentials from being committed to git

Posted by Markus Benning on August 21, 2017

Sometimes you want to add local credentials to a configuration file without adding them to version control or you just want to make sure credentials dont get added to version control at all. Git filters can be used to filter out credentials.

A filter is just a simple pipe command which reads content from STDIN and outputs the filtered content to STDOUT.

An example filter script in ruby:

ARGF.each do |line|
 line.gsub!(/^(\s*user(?:name)?\s*[:=]\s*)(.*)$/i, '\1username')
 line.gsub!(/^(\s*(?:password|token)\s*[:=]\s*)(.*)$/i, '\1secret')
 puts line

And the same example in perl:

use strict;
use warnings;

while (<>) {

  print $_;

It will replace most username fields in ini and yaml style files with ‘username’ and passwords with ‘secret’.

The next step is to define the a filter with this script in your global git config:

git config --global filter.credentials.clean <git-clean-credentials-script>

This will add a section with your filter script to the .gitconfig file:

[filter "credentials"]
 clean = <git-clean-credentials-script>

The next step is to apply this filter in your git projects. This is done with git attributes. To filter yaml config files add the following line to .gitattributes in the root directory of your git repository:

config/*.yml filter=credentials

Create the file if it does not yet exist. And commit it to the repository. If the filter is not configured in someone else git client it will be ignored.