secret-shield icon indicating copy to clipboard operation
secret-shield copied to clipboard

Published 20 hours ago verified publisher icon mapbox

Prompt before pushing to a public repo

Open hcourt opened this issue 5 years ago • 3 comments

secret-shield introduces a layer of protection against accidentally committing secrets to public repos. What if we want to protect against accidentally committing to public repos at all?

Proposal

We should add a pre-push hook to the default secret-shield suites. This hook would:

  • Check if the repo is public.
  • Check if this user has never committed to this repo before. (optional: make this configurable!)

If both are true, the hook would prompt with a confirmation message.

> git push -u origin foo
WARNING!  This repository is PUBLIC, and you have never committed to this repo before.
Are you sure you want to push refs to '[email protected]:mapbox/secret-shield'?  y/N

cc/ @mapbox/security-and-compliance @ectrotter @tmpsantos

hcourt avatar Jan 21 '20 23:01 hcourt

I would also add a check if it has collab on the name.

tmpsantos avatar Jan 23 '20 08:01 tmpsantos

@hcourt Thanks for opening this. Is there any update on progress to get this in place?

ectrotter avatar Jan 31 '20 16:01 ectrotter

@ectrotter FYI, @mapbox/security-and-compliance is triaging this. I don't believe there are any updates right now.

hcourt avatar Jan 31 '20 19:01 hcourt