git-secrets

git-secrets is a command-line tool from AWS Labs that prevents passwords and other sensitive values from being committed to a git repository. It works by installing hooks directly into a git repository so that each commit, commit message, and certain merges are checked against a set of forbidden patterns before they are accepted. If anything matches, the commit is blocked and the offending text is reported.

After installing the program on your system (via Homebrew on macOS, a Makefile on Linux, or a PowerShell script on Windows), you must run a separate setup command inside each repository you want protected. The README highlights this as a step people frequently overlook. The hooks it installs cover three points in the commit process: just before the commit is made, when the commit message is written, and when a merge brings in new history.

Because git-secrets was built at AWS, it includes a ready-made set of patterns for Amazon Web Services credentials. A single command registers checks for AWS access key IDs, secret access keys, account IDs, and Bedrock API keys, and it also reads the actual credential values stored in your local AWS credentials file so those specific keys are blocked too. The documentation notes that these patterns catch most instances of AWS credentials but not all, and treats the tool as an extra layer of protection rather than a complete guarantee.

You can also add your own patterns, either as regular expressions you write by hand or by pointing git-secrets at a custom program that outputs a list of patterns. Patterns you trust can be explicitly allowed to avoid false alarms on example keys or test values.

For repositories that are being prepared to go public, git-secrets can scan the full commit history, not just the most recent changes. You can also configure a global template so that every new repository you create or clone automatically gets the hooks installed.