Keeping Secrets - Gitleaks and Github

avatar

hacker and gitleaks output.jpg

Vote for Brianoflondon's Witness KeyChain or HiveSigner
Support Proposal 342 on PeakD

This is a value for value post: see the explanation in the footer.

Warning: technical blog post follows for coders

I just did something I should have done years ago. I installed a pre-commit scanner in my workflow to check before I upload anything to github that I haven't divulged any secrets.

The mistake

I haven't made this mistake yet, but that's the point about fixing security stuff: far better to do it before you make the mistake.

Let's say I have a file like this with some keys in it. They're just random keys, generated with my own v4v.app signup for Hive link but lets assume they're the keys to my server's Hive account.

  Hive Username: koiuoiulkj

  Owner Key: 5JB6MK6CHipcYCmZtFbBVV19qbAXaFMZXYcRLEHKa5Hndj2AYkG

  Active Key: 5JFFgEhSRoso1pEFRFDtzrN3rjhLqPJuYgejiGfD9FroMLZNRv9

  Posting Key: 5JRpckhZgBSN2SxZJzBQAAdMgffoWXrwF6BTtqpz7mw7NZrkCP5

  Memo Key: 5KMNg6mvMGBNZxUWQVwczD2x6TXJnHCQ3PvqE5hQuWqmB5rm5ts

  Backup (Master) Password: bsKCHNClqvDpTb1QMd17LaQi79xygJjR

It's easy as you like to put those in a file and accidentally add it to github. At least here on Hive, if you notice such a catastrophic error, you can change your keys but it's a big hassle.

Pre-commit hooks

The solution which I should have put in place years ago is to use something called a "pre-commit hook" to scan anything I try to send to Github before I upload it and make it public.

With the help of Grok I decided to use Gitleaks, this is what Grok has to say about it.

Gitleaks

Reputation: Highly regarded in the security and DevOps communities for its speed, ease of use, and Git-focused approach.

Strengths:

  • Specifically designed for scanning Git repositories, making it excellent for catching secrets in commit history and pre-commit hooks.

  • Fast and lightweight, with a simple setup.

  • Broad rule set covering common secret patterns (e.g., AWS keys, JWTs, private keys).

  • Active community and frequent updates (e.g., latest release in 2025).

  • Integrates seamlessly with CI/CD pipelines and pre-commit frameworks.

Community & Adoption: Widely used by security professionals and developers, with over 16k GitHub stars (as of last data). Popular in enterprise and open-source projects for its reliability.

Criticism: Can produce false positives without fine-tuning, and its focus on Git means it’s less flexible for non-Git use cases.

I followed the steps on the Gitleaks github page to install and voila it's working.

What happens?

So when I try to post that file to Github now, this is what I get:

gitleaks secrets.png

I deliberately tested with Hive keys and without doing any further setup.

Honestly I feel really dumb for working this long without setting this up.

Value for Value

For the last few months while building @v4vapp I was generously supported by the DHF. Going forward I have a much more modest support which covers direct server costs and a little of my time.

If you appreciate the work I do on and around Hive, you can express this directly: upvoting posts on Hive is great. Also consider a direct donation (there's a Tip button on Hive or a Lightning Address) on all my posts.

hivebuzz-orca-120.png

Support Proposal 342 on PeakD
Support Proposal 342 with Hivesigner
Support Proposal 342 on Ecency
Vote for Brianoflondon's Witness KeyChain or HiveSigner

Send Lightning to Me!

v4vapp vsc developers leofinance proofofbrain python github security
0
0
0.000
7 comments
avatar

So this Tool recognizes any private keys within a written code and gives you feedback about it BEFORE you upload the code? How does it recognize some random Numbers and letters being a secret key? Is that AI power of learning to recognize patterns?
Do you have to train rhe tool of recognizing certain secrets? For example how does it distinguish between a number within a code being just a number form being someones private phone number or Bank Account number that should remain secret?

0
0
0.000
Reply
avatar
(Edited)

I think its mostly a bunch of regex expressions but I haven't looked into exactly (I really will) but right out of the box, it detected that file but for example in my test folder the following:

########### TEST CONFIG NO SECRETS #################

hive:
  hive_accs:
    someaccount:
      role: server
      posting_key: somepostingkey
      active_key: someactive
      memo_key: somememo

########### TEST CONFIG NO SECRETS #################

notification_bots:
  first-bot:
    token: 0987654321:ABC-DEF1234ghIkl-zyx57W2v1u123ew11
    chat_id: 777777777

  second-bot:
    token: 1234567890:ABC-DEF1234ghIkl-zyx57W2v1u123ew11
    chat_id: 122222222

Didn't raise any alarm bells. As you can see the ####'s are there so that when I'm editing that file i know not to put any secrets in it!

I just now tried replacing the hive keys somepostingkey etc with real (looking) randomly generated keys and sure enough it blocked upload. Perfect. I'm sure there is a way I can flag stuff as safe for specific testing reasons but this is working just how I want it to.

0
0
0.000
Reply
avatar

Reading this I am so sure that you must have spent tons and tons of hours researching and building this. I am so sure that it is not something so easy but you devote your time and energy to this which is really a great job you are doing

Thanks for been an inspiration

0
0
0.000
Reply
avatar

Doesn't really work for me. It's probably looking for some keywords like password or key followed by what it guesses to be the secret. Simply removing those keywords but leaving the actual keys from the example file above makes it a false negative.

0
0
0.000
Reply
avatar

I'm absolutely not thinking of relying on this and becoming dumb. I suspect it's better with more common things like API keys which it will have seen more than Hive keys.

0
0
0.000
Reply