Skip to content

edenian-prince/rust-secrets

BranchesTags

Repository files navigation

rust-secrets

Pre-commit hooks that prevent credential leaks, written in rust. A replacement of AWS git-secrets that also has automated provider refreshing. Like git-secrets, it adds a regex file to your git config and uses it to scan for secrets when you git commit. With git-find, it can automatically pull changes to that file before scanning for secrets, ensuring that you have the most up to date regex secret file. It also automatically sets up a global git config that will apply the hooks to all existing and new repos. It won't overwrite global or local hooks if they exist, just adds to them. This way a system admin can set up hooks and ban lists that can be automatically updated and local users can still have their own ban lists.

Install

To install new versions you can follow these steps again and it will update the cli on your machine.

Linux/WSL

Run this in a bash terminal:

curl -fsSL https://raw.githubusercontent.com/edenian-prince/rust-secrets/refs/heads/main/install.sh | bash

that will put the cli tool in your .bashrc

then restart your terminal or run

source ~/.bashrc

Windows

Run this in a PowerShell terminal. It will pull the install.ps1 script from the repo and install git-find.exe to your C:/USER/.local/bin path

powershell -ExecutionPolicy ByPass -c "irm https://raw.githubusercontent.com/edenian-prince/rust-secrets/refs/heads/main/install.ps1 | iex"

Post Install Setup

  1. Now set up the hooks with
git find install

It will add global git hook paths if needed, but will not overwrite or destroy already existing global or local hooks. See src/install.rs for the code. tl;dr - It will create a new file in ~/.git-hooks/git-find-global-hook.sh and then call it into the existing ~/.git-hooks/pre-commit file if it doesn't already exist. If it does exist, it will just add some code to call in the git-find-global-hook.sh script

!/bin/sh
# Global pre-commit hook (git-find)

TEMPLATE="$HOME/.git-hooks/git-find-global-hook.sh"

if [ -f "$TEMPLATE" ] && [ -x "$TEMPLATE" ]; then
    "$TEMPLATE" "$@"
    exit $?
fi

exit 0

(and then restart your shell if using PowerShell)

  1. Add a provider/secret ban list.txt

Either a full file path like ~/path/secrets.txt (can be a path in a git repo) or from github itself like https://raw.github../secrets.txt

git find add-provider --path /full/path/to/provider

This will prompt you and ask if you want the auto updates. Write Y and it will set it up for you. Whenever the pre-commit hook runs it will automatically pull from that repo so that your regex file is the most up to date. If N is selected, then it will just read the file directly from where you put it and won't run git pull.

  1. Optional - add a provider to just one local repo The hook providers are applied to your global git (with git config --global --add) unless you specify putting them into a single repo with the --local flag
git find add-provider --path /full/path/secret.txt --local

This will put a local hook/secret ban list into your single repo's git config (with git config --add). You can check with git config --list. If you already have a hook there it will NOT overwrite it.

see src/providers.rs for more details

Optional:

To scan the entire git history of a repo, run this within a git repo

git find scan

It will scan for all the secrets in your global/local git config. See src/scan.rs

Comparisons to GitLeaks and AWS Git Secrets

GitLeaks

  • Installing gitleaks gives you the binary/tool to scan for secrets, but it won’t “opt you in” with Git hooks.
  • You need to explicitly configure the hook you want (pre-commit, protect, etc.) in each repository (or via a shared git template).
  • This means a user will need to pip install pre-commit hook, set up a git template for global hooks, and then set up core.hooksPath to apply the hooks to existing repos

AWS Git-Secrets

  • Simple install
  • Does not set up global hooks that apply to ALL repos (existing repos included, see video above)
  • Does not have auto-config capabilities

If you want to enforce hooks globally across many repos (e.g. for a team), you’ll need to set up a shared Git template directory or use a hook manager. This all handled by git-find when you run git-find install

This is really useful for:

  • teams that want to share a regex secret file (containing common server names, tokens, etc)
  • teams that update their regex file and need to automatically update their teammates pre-commit hooks
  • newbies that may forget to manually update their regex files
auto4.mp4
  • git-find can automatically pull 'shared' regex provider files as shown in the video above. If an update is made to the centralized regex file, the new regex will be scanned against when your run git commit. This is great for teams that update what secrets they want to scan against and need to ensure that ALL team members have the latest regex file
scan.mp4
  • has cleaner git history scanning capabilities (and will get better in future releases)
commit.mp4
  • automatically sets up global hooks that work on existing repos. AWS git-secrets was a real pain for this. when you install it you need to configure git to run it on existing repos. a pain for newbie git users

git-find simplifies installing global hooks and automating config pulls. It requires ZERO effort or knowledge from newbies that need pre-commit hooks for security scanning.

About

Pre-commit hooks written in rust. A complete replacement of AWS git-secrets

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 18

v0.4.1 Latest
Dec 1, 2025
+ 17 releases

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages