It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

commit bllock if passwords or secrets in it

Hi Experts,

Looking for a solution for blocking the developers from committing the codes or any files with password or secretes in it.



1 answer

0 votes
Nic Brough Community Leader Mar 29, 2019

You will need some code for this, but there's two parts to it.

The easier part is that there are apps that can provide that code, or allow you to write that code inline.  I'd use Scriptrunner (because I work for Adaptavist and can ask an expert any time).  But the block is an easy thing.

The more difficult part is the human side - you need code that can recognise when something sensitive is being committed.  How do you know when the word "penguin" is a password?



Thanks for your quick response.but I really wonder that here we don't have proper solution for this as it was very important usecase also

Nic Brough Community Leader Mar 29, 2019

I think there's no "proper solution" because of the second part of my answer.

Blocking a commit given "case X" is not a problem.  It's when "case X" is potentially a nightmare to code for that you have a problem. 

For this one, think about it - how do you know that any part of a commit is a string representing a password?  Humans will often write variants of "username: dave password: penguin" into comments or notes, which aren't too hard to detect, but what happens when they don't flag it so obviously?  A lot of passwords have been given to me as simply dave/penguin - a human reading that would take a good guess, but how would a machine know?  Your case also has the problem that you want to search the content of a commit (and if it's code relating to user access, it's likely to throw a false positive if you are just looking for "password").

So, there's no easy generic way to do it, as the things you are looking for could be very different.  You will need to define a set of rules that define how a machine will recognise passwords and secrets in your commits, and parse for them.

Yes.. you are absolutely right... 


Just for reference, have you ever tried a parsing like this for any kind bof blocking.. if yes could you share me for reference

Nic Brough Community Leader Mar 29, 2019

Myself, just something that scanned the commit message for a couple of strings and blocked it if found.  The other stuff I've worked with has ended up in the script library I mentioned above!

Like vowner vowner likes this

i tried with below script, but its blocking the regex keywords. but even i reverted the changes in the code also still its not allowing to commit.



# Pre-receive hook that will block any new commits that contain passwords,
# tokens, or other confidential information matched by regex
# More details on pre-receive hooks and how to apply them can be found on

# ------------------------------------------------------------------------------
# Variables
# ------------------------------------------------------------------------------
# Count of issues found in parsing

# Define list of REGEX to be searched and blocked
# block any private key file
'(\-){5}BEGIN\s?(RSA|OPENSSH|DSA|EC|PGP)?\s?PRIVATE KEY\s?(BLOCK)?(\-){5}.*'
# block AWS API Keys
# block AWS Secret Access Key (TODO: adjust to not find validd Git SHA1s; false positives)
# '([^A-Za-z0-9/+=])?([A-Za-z0-9/+=]{40})([^A-Za-z0-9/+=])?'
# block confidential content

# Concatenate regex_list
regex="$( printf "${separator}%s" "${regex_list[@]}" )"
# remove leading separator

# Commit sha with all zeros

# ------------------------------------------------------------------------------
# Pre-receive hook
# ------------------------------------------------------------------------------
while read oldrev newrev refname; do
# # Debug payload
# echo -e "${oldrev} ${newrev} ${refname}\n"

# ----------------------------------------------------------------------------
# Get the list of all the commits
# ----------------------------------------------------------------------------

# Check if a zero sha
if [ "${oldrev}" = "${zero_commit}" ]; then
# List everything reachable from newrev but not any heads
span=`git rev-list $(git for-each-ref --format='%(refname)' refs/heads/* | sed 's/^/\^/') ${newrev}`
span=`git rev-list ${oldrev}..${newrev}`

# ----------------------------------------------------------------------------
# Iterate over all commits in the push
# ----------------------------------------------------------------------------
for sha1 in ${span}; do
# Use extended regex to search for a match
match=`git diff-tree -r -p --no-color --no-commit-id --diff-filter=d ${sha1} | grep -nE "(${regex})"`

# Verify its not empty
if [ "${match}" != "" ]; then
# # Debug match
# echo -e "${match}\n"

found=$((${found} + 1))

# ------------------------------------------------------------------------------
# Verify count of found errors
# ------------------------------------------------------------------------------
if [ ${found} -gt 0 ]; then
# Found errors, exit with error
echo "[POLICY BLOCKED] You're trying to commit a password, token, or confidential information"
exit 1
# No errors found, exit with success
exit 0

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Bitbucket

Atlassian supported Jenkins integration for Bitbucket Server

We’ve been building a plugin to integrate Bitbucket Server and Jenkins CI, and I’m excited to announce that our alpha is ready to download and install. It lets you seamlessly configure a Jenkins job ...

497 views 0 10
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you