# awslabs/git-secrets **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/awslabs-git-secrets).** 13,177 stars · 1,244 forks · Shell · apache-2.0 ## Links - GitHub: https://github.com/awslabs/git-secrets - awesome-repositories: https://awesome-repositories.com/repository/awslabs-git-secrets.md ## Description Git-secrets is a security utility designed to prevent the accidental exposure of sensitive credentials by integrating automated scanning directly into the version control commit lifecycle. It functions as a commit scanner that evaluates staged files and commit messages against defined security policies before changes are finalized in a repository. The tool utilizes regular expression pattern matching to identify potential secrets and supports the registration of custom patterns to address specific organizational security requirements. To manage operational friction, it includes mechanisms for false-positive filtering through allowlists and provides options to bypass validation for specific commits when necessary. Beyond real-time interception, the software supports retrospective security analysis by performing linear history traversals to audit entire project timelines for previously committed sensitive data. It also offers extensibility by allowing the delegation of validation logic to external scripts or binaries, enabling integration with dynamic secret checking workflows. ## Tags ### Security & Cryptography - [Commit Risk Scanning](https://awesome-repositories.com/f/security-cryptography/secret-scanning/commit-risk-scanning.md) — Automatically scans staged files and commit messages to block sensitive credentials from being saved into version control. - [Credential Security and Utilities](https://awesome-repositories.com/f/security-cryptography/identity-access-management/authentication-strategies/session-and-credential-handling/credential-security-utilities.md) — Provides a utility for scanning repository history and staged files to identify and block the accidental exposure of sensitive credentials. - [Security Auditing Tools](https://awesome-repositories.com/f/security-cryptography/security-auditing-tools.md) — Analyzes entire project history to identify and report previously committed secrets that may have been accidentally exposed. - [Pattern Matching Engines](https://awesome-repositories.com/f/security-cryptography/pattern-matching-engines.md) — Uses regular expression pattern matching to identify sensitive data formats within source code and commit messages. - [Security Scan Exclusions](https://awesome-repositories.com/f/security-cryptography/security-scan-exclusions.md) — Enables defining allowed patterns or exclusion files to ignore safe matches and prevent unnecessary blocking of legitimate code. ([source](https://github.com/awslabs/git-secrets#readme)) - [Allowlist Management](https://awesome-repositories.com/f/security-cryptography/security/utilities/allowlist-management.md) — Provides mechanisms to define exclusion rules that suppress false positives and permit known safe content during security scans. - [Custom Pattern Matchers](https://awesome-repositories.com/f/security-cryptography/custom-detection-rules/custom-pattern-matchers.md) — Supports registering custom regular expressions to identify and block specific types of sensitive data from being committed. ([source](https://github.com/awslabs/git-secrets#readme)) - [Custom Pattern Policies](https://awesome-repositories.com/f/security-cryptography/infrastructure-policy-enforcement/security-policy-enforcers/custom-pattern-policies.md) — Allows defining and registering custom regular expression patterns to detect proprietary or sensitive data types. - [External Secret Resolution](https://awesome-repositories.com/f/security-cryptography/external-secret-resolution.md) — Integrates with external commands or scripts to dynamically fetch and check against lists of known sensitive credentials. ([source](https://github.com/awslabs/git-secrets#readme)) - [Leaked Credential Checks](https://awesome-repositories.com/f/security-cryptography/password-management/leaked-credential-checks.md) — Validates code against sensitive data patterns to prevent credential leaks during the development workflow. - [Automation Security](https://awesome-repositories.com/f/security-cryptography/governance-policy-frameworks/compliance-governance/security-and-compliance/automation-security.md) — Enforces security policies by running custom regular expression checks against code changes before they are finalized. - [Development Bypasses](https://awesome-repositories.com/f/security-cryptography/identity-access-management/access-control/policy-enforcement-engines/authentication-bypass/development-bypasses.md) — Allows users to bypass secret validation for specific commits or merges to ensure legitimate code changes are not blocked. ([source](https://github.com/awslabs/git-secrets#readme)) ### Development Tools & Productivity - [Git Hooks](https://awesome-repositories.com/f/development-tools-productivity/git-hooks.md) — Integrates automated security scanning directly into the version control commit lifecycle using pre-commit hooks. - [Version Control and Repository Tools](https://awesome-repositories.com/f/development-tools-productivity/version-control-repository-tools.md) — Analyzes all past revisions in a repository to identify and report any previously committed secrets. ([source](https://github.com/awslabs/git-secrets#readme)) - [Commit History Analysis](https://awesome-repositories.com/f/development-tools-productivity/commit-history-analysis.md) — Performs retrospective security analysis by traversing the entire project history to identify previously committed sensitive data. ### Hardware & IoT - [External Process Plugins](https://awesome-repositories.com/f/hardware-iot/integration-performance/hardware-interfacing-integration/hardware-integration/device-sensors/external-integrations/external-process-plugins.md) — Supports delegating validation logic to external scripts or binaries to enable extensible and dynamic security scanning.