怎么在github上看密钥

I stumbled on a website that continuously scans , GitLab and BitBucket, the 3 most common places to host source code publicly, and shows you committed SSH passwords, API keys for common services, databases and so on.

我偶然发现了一个网站，该网站连续扫描 ，GitLab和BitBucket，这是公开存储源代码的3个最常见的位置，并向您显示已提交的SSH密码，通用服务的API密钥，数据库等。

It’s scary, right?

很恐怖吧？

Raise your hand if it never happened to you. We can make mistakes. And when this happens, there’s no other way than quickly invalidating the password or API key that was exposed to the public.

如果从未发生过，请举手。 我们会犯错误。 而且，当发生这种情况时，除了快速使公开的密码或API密钥无效之外，别无他法。

For people new to : you can’t just rollback the commit, because it will still be kept in the history of the repository.

对于 ：您不能仅回滚提交，因为它仍将保留在存储库的历史记录中。

Your reputation, the reputation of your project, the security of your users is at stake.

您的声誉，项目的声誉，用户的安全受到威胁。

After you fix the emergency, the issue is: how to prevent the problem? What’s the answer? What’s the solution that can help us avoid commit secrets to a publicly available Git repository?

解决紧急情况后，问题是：如何预防该问题？ 答案是什么？ 有什么解决方案可以帮助我们避免将秘密提交给公开的Git存储库？

The answer is: workflow and tooling.

答案是：工作流程和工具。

First, never add your API keys or passwords inside source code. They can hide in there, quietly. Instead, always add them to a .env file in the project root folder, and add .env to your .gitignore file, so it will never be committed. Use a tool like to access them.

首先，切勿在源代码中添加API密钥或密码。 他们可以安静地躲在里面。 相反，请始终将它们添加到项目根文件夹中的.env文件中，并将.env添加到您的.gitignore文件中，这样就永远不会提交它。 使用类的工具来访问它们。

Use , a tool that will help you avoid committing secrets to Git.

使用 ，该工具将帮助您避免将秘密提交给Git。

In macOS you install it using Homebrew:

在macOS中，您可以使用Homebrew安装它：

brew install git-secrets

then go inside the repository you want to activate it on, and run

然后进入要激活它的存储库，然后运行

git secrets --install

to install the Git pre-commit hook. This will ensure the tool runs before Git makes the commit to the repo.

安装Git预提交钩子。 这将确保工具在Git提交到存储库之前运行。

If you use Amazon Web Services (AWS), run this command to add the set of patterns used by that services credentials:

如果您使用Amazon Web Services(AWS)，请运行以下命令以添加该服务凭证使用的模式集：

git secrets --register-aws

You can immediately scan for issues using

您可以立即使用扫描问题

git secrets --scan

Ideally the tool should not print anything. But if you have issues, it will give you plenty of details.

理想情况下，该工具不应打印任何内容。 但是，如果您遇到问题，它将为您提供许多详细信息。

翻译自:

怎么在github上看密钥