explaingit

awslabs/git-secrets

13,303ShellAudience · developerComplexity · 2/5Setup · easy

TLDR

A tool from AWS Labs that blocks you from accidentally committing passwords or AWS credentials to git by scanning each commit before it is saved.

Mindmap

mindmap
  root((repo))
    What it does
      Block secret commits
      Pre-commit hook scan
      AWS credential patterns
    Installation
      Homebrew on macOS
      Makefile on Linux
      PowerShell on Windows
    Features
      Custom patterns
      Allowlist for test keys
      Full history scan
      Global template
    Use Cases
      AWS key protection
      Pre-public repo audit
      Team-wide enforcement
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Prevent AWS access keys, secret access keys, and account IDs from being committed to any git repository.

USE CASE 2

Scan a repository's full commit history before making it public to check for any previously leaked credentials.

USE CASE 3

Add your own custom regex patterns to block company-specific secrets like database passwords or internal API tokens.

USE CASE 4

Configure a global git template so every new repository you create or clone automatically gets secret-scanning hooks.

Tech stack

ShellGit hooksHomebrew

Getting it running

Difficulty · easy Time to first run · 5min

Must be initialized separately inside each repository you want to protect, this per-repo setup step is easy to overlook.

In plain English

git-secrets is a command-line tool from AWS Labs that prevents passwords and other sensitive values from being committed to a git repository. It works by installing hooks directly into a git repository so that each commit, commit message, and certain merges are checked against a set of forbidden patterns before they are accepted. If anything matches, the commit is blocked and the offending text is reported. After installing the program on your system (via Homebrew on macOS, a Makefile on Linux, or a PowerShell script on Windows), you must run a separate setup command inside each repository you want protected. The README highlights this as a step people frequently overlook. The hooks it installs cover three points in the commit process: just before the commit is made, when the commit message is written, and when a merge brings in new history. Because git-secrets was built at AWS, it includes a ready-made set of patterns for Amazon Web Services credentials. A single command registers checks for AWS access key IDs, secret access keys, account IDs, and Bedrock API keys, and it also reads the actual credential values stored in your local AWS credentials file so those specific keys are blocked too. The documentation notes that these patterns catch most instances of AWS credentials but not all, and treats the tool as an extra layer of protection rather than a complete guarantee. You can also add your own patterns, either as regular expressions you write by hand or by pointing git-secrets at a custom program that outputs a list of patterns. Patterns you trust can be explicitly allowed to avoid false alarms on example keys or test values. For repositories that are being prepared to go public, git-secrets can scan the full commit history, not just the most recent changes. You can also configure a global template so that every new repository you create or clone automatically gets the hooks installed.

Copy-paste prompts

Prompt 1
I just installed git-secrets. Walk me through setting it up in my existing Python project repo to block AWS credentials and any personal API tokens I specify.
Prompt 2
How do I use git-secrets to scan the entire commit history of my repo before I make it public on GitHub?
Prompt 3
I want git-secrets to run automatically on every new git repo I create or clone. How do I set up the global git template?
Prompt 4
Add a custom git-secrets pattern to block any string matching the format MYCO-[A-Z0-9]{32} from being committed.
Open on GitHub → Explain another repo

← awslabs on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.