Prepare for 1.3.0 release

Author: awstools

CHANGELOG.md

@@ -1,5 +1,16 @@
 # CHANGELOG
 
+## 1.3.0 - 2019-02-10
+
+* Empty provider output is now excluded
+  (https://github.com/awslabs/git-secrets/issues/34)
+* Spaces are now supported in git exec path, making more Windows
+  paths execute properly.
+* Patterns with newlines and carriage returns are now loaded properly.
+* Patterns that contain only "\n" are now ignored.
+* Various Bash 4 fixes (https://github.com/awslabs/git-secrets/issues/66).
+* Make IAM key scanning much more targeted.
+
 ## 1.2.1 - 2016-06-27
 
 * Fixed an issue where secret provider commands were causing "command not

git-secrets.1

@@ -30,6 +30,59 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
+.SS Contents
+.INDENT 0.0
+.IP \(bu 2
+\fI\%Synopsis\fP
+.IP \(bu 2
+\fI\%Description\fP
+.IP \(bu 2
+\fI\%Installing git\-secrets\fP
+.INDENT 2.0
+.IP \(bu 2
+\fI\%*nix (Linux/macOS)\fP
+.IP \(bu 2
+\fI\%Windows\fP
+.IP \(bu 2
+\fI\%Homebrew (for macOS users)\fP
+.UNINDENT
+.IP \(bu 2
+\fI\%Advanced configuration\fP
+.IP \(bu 2
+\fI\%Before making public a repository\fP
+.IP \(bu 2
+\fI\%Options\fP
+.INDENT 2.0
+.IP \(bu 2
+\fI\%Operation Modes\fP
+.IP \(bu 2
+\fI\%Options for \fB\-\-install\fP\fP
+.IP \(bu 2
+\fI\%Options for \fB\-\-scan\fP\fP
+.IP \(bu 2
+\fI\%Options for \fB\-\-list\fP\fP
+.IP \(bu 2
+\fI\%Options for \fB\-\-add\fP\fP
+.IP \(bu 2
+\fI\%Options for \fB\-\-register\-aws\fP\fP
+.IP \(bu 2
+\fI\%Options for \fB\-\-aws\-provider\fP\fP
+.IP \(bu 2
+\fI\%Options for \fB\-\-add\-provider\fP\fP
+.UNINDENT
+.IP \(bu 2
+\fI\%Defining prohibited patterns\fP
+.IP \(bu 2
+\fI\%Ignoring false positives\fP
+.IP \(bu 2
+\fI\%Secret providers\fP
+.IP \(bu 2
+\fI\%Example walkthrough\fP
+.IP \(bu 2
+\fI\%Skipping validation\fP
+.IP \(bu 2
+\fI\%About\fP
+.UNINDENT
 .SH SYNOPSIS
 .INDENT 0.0
 .INDENT 3.5
@@ -55,12 +108,27 @@ prevent adding secrets into your git repositories. If a commit,
 commit message, or any commit in a \fB\-\-no\-ff\fP merge history matches one of
 your configured prohibited regular expression patterns, then the commit is
 rejected.
-.SS Installing git\-secrets
+.SH INSTALLING GIT-SECRETS
 .sp
 \fBgit\-secrets\fP must be placed somewhere in your PATH so that it is picked up
-by \fBgit\fP when running \fBgit secrets\fP\&. You can use \fBinstall\fP target of the
-provided Makefile to install \fBgit secrets\fP and the man page. You can
-customize the install path using the PREFIX and MANPREFIX variables.
+by \fBgit\fP when running \fBgit secrets\fP\&.
+.SS *nix (Linux/macOS)
+.IP "System Message: WARNING/2 (README.rst:, line 43)"
+Title underline too short.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+\e*nix (Linux/macOS)
+~~~~~~~~~~~~~~~~~
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+You can use the \fBinstall\fP target of the provided Makefile to install \fBgit secrets\fP and the man page.
+You can customize the install path using the PREFIX and MANPREFIX variables.
 .INDENT 0.0
 .INDENT 3.5
 .sp
@@ -71,8 +139,22 @@ make install
 .fi
 .UNINDENT
 .UNINDENT
+.SS Windows
 .sp
-Or, installing with Homebrew (for OS X users).
+Run the provided \fBinstall.ps1\fP powershell script. This will copy the needed files
+to an installation directory (\fB%USERPROFILE%/.git\-secrets\fP by default) and add
+the directory to the current user \fBPATH\fP\&.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+PS > ./install.ps1
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Homebrew (for macOS users)
 .INDENT 0.0
 .INDENT 3.5
 .sp
@@ -106,42 +188,94 @@ git secrets \-\-register\-aws
 .fi
 .UNINDENT
 .UNINDENT
+.SH ADVANCED CONFIGURATION
+.sp
+Add a configuration template if you want to add hooks to all repositories you
+initialize or clone in the future.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+git secrets \-\-register\-aws \-\-global
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Add hooks to all your local repositories.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+git secrets \-\-install ~/.git\-templates/git\-secrets
+git config \-\-global init.templateDir ~/.git\-templates/git\-secrets
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Add custom providers to scan for security credentials.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+git secrets \-\-add\-provider \-\- cat /path/to/secret/file/patterns
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SH BEFORE MAKING PUBLIC A REPOSITORY
+.sp
+With git\-secrets is also possible to scan a repository including all revisions:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+git secrets \-\-scan\-history
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
 .SH OPTIONS
 .SS Operation Modes
 .sp
 Each of these options must appear first on the command line.
 .INDENT 0.0
 .TP
 .B \fB\-\-install\fP
-Installs hooks for a repository. Once the hooks are installed for a git
-repository, commits and non\-ff merges for that repository will be prevented
+Installs git hooks for a repository. Once the hooks are installed for a git
+repository, commits and non\-fast\-forward merges for that repository will be prevented
 from committing secrets.
 .TP
 .B \fB\-\-scan\fP
 Scans one or more files for secrets. When a file contains a secret, the
 matched text from the file being scanned will be written to stdout and the
-script will exit with a non\-zero RC. Each matched line will be written with
+script will exit with a non\-zero status. Each matched line will be written with
 the name of the file that matched, a colon, the line number that matched,
 a colon, and then the line of text that matched. If no files are provided,
 all files returned by \fBgit ls\-files\fP are scanned.
 .TP
 .B \fB\-\-scan\-history\fP
 Scans repository including all revisions. When a file contains a secret, the
 matched text from the file being scanned will be written to stdout and the
-script will exit with a non\-zero RC. Each matched line will be written with
+script will exit with a non\-zero status. Each matched line will be written with
 the name of the file that matched, a colon, the line number that matched,
 a colon, and then the line of text that matched.
 .TP
 .B \fB\-\-list\fP
-Lists the git\-secrets configuration for the current repo or in the global
+Lists the \fBgit\-secrets\fP configuration for the current repo or in the global
 git config.
 .TP
 .B \fB\-\-add\fP
 Adds a prohibited or allowed pattern.
 .TP
 .B \fB\-\-add\-provider\fP
 Registers a secret provider. Secret providers are executables that when
-invoked outputs prohibited patterns that \fBgit\-secrets\fP should treat as
+invoked output prohibited patterns that \fBgit\-secrets\fP should treat as
 prohibited.
 .TP
 .B \fB\-\-register\-aws\fP
@@ -150,7 +284,7 @@ in \fB~/.aws/credentials\fP are not found in any commit. The following
 checks are added:
 .INDENT 7.0
 .IP \(bu 2
-AWS Access Key ID via \fB[A\-Z0\-9]{20}\fP
+AWS Access Key IDs via \fB(A3T[A\-Z0\-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A\-Z0\-9]{16}\fP
 .IP \(bu 2
 AWS Secret Access Key assignments via ":" or "=" surrounded by optional
 quotes
@@ -160,7 +294,7 @@ AWS account ID assignments via ":" or "=" surrounded by optional quotes
 Allowed patterns for example AWS keys (\fBAKIAIOSFODNN7EXAMPLE\fP and
 \fBwJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\fP)
 .IP \(bu 2
-Enables using \fB~/.aws/credentials\fP to scan for known credentials.
+Known credentials from \fB~/.aws/credentials\fP
 .UNINDENT
 .sp
 \fBNOTE:\fP
@@ -176,7 +310,7 @@ do not commit credentials to a repository.
 .TP
 .B \fB\-\-aws\-provider\fP
 Secret provider that outputs credentials found in an INI file. You can
-optionally provide the path to an ini file.
+optionally provide the path to an INI file.
 .UNINDENT
 .SS Options for \fB\-\-install\fP
 .INDENT 0.0
@@ -188,18 +322,18 @@ Overwrites existing hooks if present.
 When provided, installs git hooks to the given directory. The current
 directory is assumed if \fB<target\-directory>\fP is not provided.
 .sp
-If the provided \fB<target\-directory>\fP is not in a Git repository, the
+If the provided \fB<target\-directory>\fP is not in a git repository, the
 directory will be created and hooks will be placed in
-\fB<target\-directory>/hooks\fP\&. This can be useful for creating Git template
+\fB<target\-directory>/hooks\fP\&. This can be useful for creating git template
 directories using with \fBgit init \-\-template <target\-directory>\fP\&.
 .sp
 You can run \fBgit init\fP on a repository that has already been initialized.
 From the \fI\%git init documentation\fP:
 .INDENT 7.0
 .INDENT 3.5
-From the git documentation: Running git init in an existing repository
+From the git documentation: Running \fBgit init\fP in an existing repository
 is safe. It will not overwrite things that are already there. The
-primary reason for rerunning git init is to pick up newly added
+primary reason for rerunning \fBgit init\fP is to pick up newly added
 templates (or to move the repository to another place if
 \fB\-\-separate\-git\-dir\fP is given).
 .UNINDENT
@@ -223,7 +357,7 @@ Please note that this hook is only invoked for non fast\-forward merges.
 .INDENT 7.0
 .INDENT 3.5
 Git only allows a single script to be executed per hook. If the
-repository contains Debian style subdirectories like \fBpre\-commit.d\fP
+repository contains Debian\-style subdirectories like \fBpre\-commit.d\fP
 and \fBcommit\-msg.d\fP, then the git hooks will be installed into these
 directories, which assumes that you\(aqve configured the corresponding
 hooks to execute all of the scripts found in these directories. If
@@ -299,7 +433,7 @@ ignored.
 Searches blobs registered in the index file.
 .TP
 .B \fB\-\-no\-index\fP
-Searches files in the current directory that is not managed by Git.
+Searches files in the current directory that is not managed by git.
 .TP
 .B \fB\-\-untracked\fP
 In addition to searching in the tracked files in the working tree,
@@ -507,16 +641,16 @@ git secrets \-\-add\-provider \-\- cat /path/to/secret/file/patterns
 .UNINDENT
 .SH DEFINING PROHIBITED PATTERNS
 .sp
-egrep compatible regular expressions are used to determine if a commit or
+\fBegrep\fP\-compatible regular expressions are used to determine if a commit or
 commit message contains any prohibited patterns. These regular expressions are
 defined using the \fBgit config\fP command. It is important to note that
 different systems use different versions of egrep. For example, when running on
-OS X, you will use a different version of egrep than when running on something
+macOS, you will use a different version of \fBegrep\fP than when running on something
 like Ubuntu (BSD vs GNU).
 .sp
 You can add prohibited regular expression patterns to your git config using
 \fBgit secrets \-\-add <pattern>\fP\&.
-.SH IGNORING FALSE-POSITIVES
+.SH IGNORING FALSE POSITIVES
 .sp
 Sometimes a regular expression might match false positives. For example, git
 commit SHAs look a lot like AWS access keys. You can specify many different
@@ -533,12 +667,12 @@ git secrets \-\-add \-\-allowed \(aqmy regex pattern\(aq
 .UNINDENT
 .sp
 You can also add regular expressions patterns to filter false positives to a
-.gitallowed file located in the repository\(aqs root directory. Lines starting
-with # are skipped (comment line) and empty lines are also skipped.
+\fB\&.gitallowed\fP file located in the repository\(aqs root directory. Lines starting
+with \fB#\fP are skipped (comment line) and empty lines are also skipped.
 .sp
 First, git\-secrets will extract all lines from a file that contain a prohibited
 match. Included in the matched results will be the full path to the name of
-the file that was matched, followed \(aq:\(aq, followed by the line number that was
+the file that was matched, followed by \(aq:\(aq, followed by the line number that was
 matched, followed by the entire line from the file that was matched by a secret
 pattern. Then, if you\(aqve defined allowed regular expressions, git\-secrets will
 check to see if all of the matched lines match at least one of your registered
@@ -605,8 +739,8 @@ And the following registered patterns:
 .sp
 .nf
 .ft C
-git config \-\-add \(aqpassword\es*=\es*.+\(aq
-git config \-\-add \-\-allowed \-\-literal \(aqex@mplepassword\(aq
+git secrets \-\-add \(aqpassword\es*=\es*.+\(aq
+git secrets \-\-add \-\-allowed \-\-literal \(aqex@mplepassword\(aq
 .ft P
 .fi
 .UNINDENT
@@ -669,7 +803,7 @@ git secrets \-\-scan /tmp/example && echo $?
 .UNINDENT
 .UNINDENT
 .sp
-Alternatively, you could whitelist a specific line number of a file if that
+Alternatively, you could allow a specific line number of a file if that
 line is unlikely to change using something like the following:
 .INDENT 0.0
 .INDENT 3.5
@@ -689,13 +823,13 @@ patterns are not inadvertently matched due to the fact that the filename is
 included in the subject text that allowed patterns are matched against.
 .SH SKIPPING VALIDATION
 .sp
-Use the \fB\-\-no\-verify\fP option in the event of a false\-positive match in a
+Use the \fB\-\-no\-verify\fP option in the event of a false positive match in a
 commit, merge, or commit message. This will skip the execution of the
 git hook and allow you to make the commit or merge.
 .SH ABOUT
 .INDENT 0.0
 .IP \(bu 2
-Author: Michael Dowling <\fI\%https://github.com/mtdowling\fP>
+Author: \fI\%Michael Dowling\fP
 .IP \(bu 2
 Issue tracker: This project\(aqs source code and issue tracker can be found at
 \fI\%https://github.com/awslabs/git\-secrets\fP