It seems to be a common occurrence that private keys are checked into public repositories on Github. As I’ve [done something similar with blocking merge conflicts from being committed]({% post_url 2015-02-17-block-merge-conflicts-in-commits %}), I thought it would be a good idea to add something similar, to block private keys from being committed from a project.

I have set a project on to hold any future git-hook scripts like this in the future.

A little bit about Git hooks

Git attempts to run any scripts that exist within .git/hooks for the current working copy. The scripts correspond to where in the lifecycle the scripts will be executed. For certain hooks, you can alter whether git allows something (such as a commit). In a future post, I’ll explore the types of hooks and how they can support your workflow.

Pre-commit

The way that Git pre-commit hooks work is that with the exit status is non-zero, the commit is rejected. It should be known that this hook can be overriden if you use the flag --no-verify. At the very least, it prevents accidental additions, which seem to be the primary reasons for private information being exposed.

Blocking private keys

It is with that in mind that I created this pre-commit hook. This script just checks for the string “RSA PRIVATE KEY” in the files that are about to be commited. It is rather simple and can be extended to block other types of sensitive data by updating the script. Feel free to fork the project if you think others will benefit.

Removing a previously commited key

Github has a good guide to removing the sensitive information here. Please heed the advice on that page to rotate all sensitive data taht was exposed publicly. It will haunt you if you do not.