Keeping Secrets - Gitleaks and Github

11 comments

brianoflondon15.1 K26 days agoPeakD3 min read

Vote for Brianoflondon's Witness KeyChain or HiveSigner
Support Proposal 342 on PeakD

This is a value for value post: see the explanation in the footer.

Warning: technical blog post follows for coders

I just did something I should have done years ago. I installed a pre-commit scanner in my workflow to check before I upload anything to github that I haven't divulged any secrets.

The mistake

I haven't made this mistake yet, but that's the point about fixing security stuff: far better to do it before you make the mistake.

Let's say I have a file like this with some keys in it. They're just random keys, generated with my own v4v.app signup for Hive link but lets assume they're the keys to my server's Hive account.

  Hive Username: koiuoiulkj

  Owner Key: 5JB6MK6CHipcYCmZtFbBVV19qbAXaFMZXYcRLEHKa5Hndj2AYkG

  Active Key: 5JFFgEhSRoso1pEFRFDtzrN3rjhLqPJuYgejiGfD9FroMLZNRv9

  Posting Key: 5JRpckhZgBSN2SxZJzBQAAdMgffoWXrwF6BTtqpz7mw7NZrkCP5

  Memo Key: 5KMNg6mvMGBNZxUWQVwczD2x6TXJnHCQ3PvqE5hQuWqmB5rm5ts

  Backup (Master) Password: bsKCHNClqvDpTb1QMd17LaQi79xygJjR

It's easy as you like to put those in a file and accidentally add it to github. At least here on Hive, if you notice such a catastrophic error, you can change your keys but it's a big hassle.

Pre-commit hooks

The solution which I should have put in place years ago is to use something called a "pre-commit hook" to scan anything I try to send to Github before I upload it and make it public.

With the help of Grok I decided to use Gitleaks, this is what Grok has to say about it.

Gitleaks

Reputation: Highly regarded in the security and DevOps communities for its speed, ease of use, and Git-focused approach.

Strengths:

Specifically designed for scanning Git repositories, making it excellent for catching secrets in commit history and pre-commit hooks.
Fast and lightweight, with a simple setup.
Broad rule set covering common secret patterns (e.g., AWS keys, JWTs, private keys).
Active community and frequent updates (e.g., latest release in 2025).
Integrates seamlessly with CI/CD pipelines and pre-commit frameworks.

Community & Adoption: Widely used by security professionals and developers, with over 16k GitHub stars (as of last data). Popular in enterprise and open-source projects for its reliability.

Criticism: Can produce false positives without fine-tuning, and its focus on Git means it’s less flexible for non-Git use cases.

I followed the steps on the Gitleaks github page to install and voila it's working.

What happens?

So when I try to post that file to Github now, this is what I get:

I deliberately tested with Hive keys and without doing any further setup.

Honestly I feel really dumb for working this long without setting this up.

Value for Value

For the last few months while building @v4vapp I was generously supported by the DHF. Going forward I have a much more modest support which covers direct server costs and a little of my time.

If you appreciate the work I do on and around Hive, you can express this directly: upvoting posts on Hive is great. Also consider a direct donation (there's a Tip button on Hive or a Lightning Address) on all my posts.