alt Hacker Newscan i have this between my machine and git please.. Like its twice now I've commmited .env* and totally passed me by (usually because its to a private repo..) then later on we/someone clears down the files.. and forgets to rewrite git history before pushing live.. it should never have got there in the first place.. (I wish github did a scan before making a repo public..)
Replies
GitHub does warn you when you have API keys in your repo. Alternatively, there are CLI tools such as TruffleHog you can put in pre-commit hooks to run before commits automatically
You can use git hooks. Pre-commit specifically.
At least you can put .env in the global gitignore. I haven’t committed DS_Store in 15 years because of it - its secrets will die with me.
aside from already mentioned hooks you can add global .gitignore for .env files
Already mentioned it in another reply, but .env and passing secrets as environment variables are a tragedy. Take a look at how SecureStore stores secrets encrypted at rest, and you’re even advised to commit them to git!
https://github.com/neosmart/securestore-rs