top | item 46231384

(no title)

willwade | 2 months ago

can i have this between my machine and git please.. Like its twice now I've commmited .env* and totally passed me by (usually because its to a private repo..) then later on we/someone clears down the files.. and forgets to rewrite git history before pushing live.. it should never have got there in the first place.. (I wish github did a scan before making a repo public..)

discuss

acheong08|2 months ago

GitHub does warn you when you have API keys in your repo. Alternatively, there are CLI tools such as TruffleHog you can put in pre-commit hooks to run before commits automatically

cwinq|2 months ago

You can try GitGuardian, it is very powerful and free for individual developers and small teams. It has precommit hooks, detection in IDE and all.

mh-|2 months ago

You can use git hooks. Pre-commit specifically.

https://git-scm.com/docs/githooks

ComputerGuru|2 months ago

Already mentioned it in another reply, but .env and passing secrets as environment variables are a tragedy. Take a look at how SecureStore stores secrets encrypted at rest, and you’re even advised to commit them to git!

https://github.com/neosmart/securestore-rs

hombre_fatal|2 months ago

At least you can put .env in the global gitignore. I haven’t committed DS_Store in 15 years because of it - its secrets will die with me.

willwade|2 months ago

sorry.. global gitignore.. what have i been doing..

PunchyHamster|2 months ago

aside from already mentioned hooks you can add global .gitignore for .env files