Pre-Commit Hooks
Pre-commit hooks are a proactive security measure to automatically check your code for secrets before pushing it to your repository, to prevent their potential exposure within your Git history.
Prerequisites
To begin, install the SailPoint Entro CLI and set up the pre-commit hook in your Git repository. The hook will then automatically scan for secrets before any commit is created.
Mitigating Detected Secrets
When the SailPoint Entro pre-commit hook finds a secret, it will block the commit. The following steps are recommended to fix the issue.
Step 1: Remove the Hardcoded Secret
You must remove any plaintext secrets from your code.
Step 2: Store the Secret in a Secure Location
Relocate the secret to a secure storage system. Good options include:
-
GitHub Secrets: Ideal for managing secrets within GitHub Actions.
-
External Secret Managers: For broader application use, integrate with a dedicated service like AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault.
Step 3: Re-commit Your Code
After removing the secret, stage your modified files and run the commit command again.
# Stage the files you've fixed
git add .
# Now, create the commit
git commit -m "Your commit message"
Optional: Bypassing the Hook
If a detected secret is not sensitive, you can still proceed with the commit by bypassing the hook in one of the following ways:
-
Skip hook for current commit (recommended approach)
This allows the commit to proceed even if secrets are found.
-
Soft Bypass (Ignore hook in current set up)
When using the 'ignore' option, entro hook will scan the code and reports the findings to entro, but it won't block you on any commits.
After running this, you can proceed with your
git commit. -
Hard Bypass (Skip)
This completely disables the entro scan for all subsequent commits until it's re-enabled.
Warning
This will prevent entro from scanning any future commits in this repository.
-
To disable the hook:
-
To re-enable the hook:
-