commit bllock if passwords or secrets in it

Hi NIC,

Thanks for your quick response.but I really wonder that here we don't have proper solution for this as it was very important usecase also

I think there's no "proper solution" because of the second part of my answer.

Blocking a commit given "case X" is not a problem.  It's when "case X" is potentially a nightmare to code for that you have a problem. 

For this one, think about it - how do you know that any part of a commit is a string representing a password?  Humans will often write variants of "username: dave password: penguin" into comments or notes, which aren't too hard to detect, but what happens when they don't flag it so obviously?  A lot of passwords have been given to me as simply dave/penguin - a human reading that would take a good guess, but how would a machine know?  Your case also has the problem that you want to search the content of a commit (and if it's code relating to user access, it's likely to throw a false positive if you are just looking for "password").

So, there's no easy generic way to do it, as the things you are looking for could be very different.  You will need to define a set of rules that define how a machine will recognise passwords and secrets in your commits, and parse for them.

Yes.. you are absolutely right... 

Just for reference, have you ever tried a parsing like this for any kind bof blocking.. if yes could you share me for reference

Myself, just something that scanned the commit message for a couple of strings and blocked it if found.  The other stuff I've worked with has ended up in the script library I mentioned above!

i tried with below script, but its blocking the regex keywords. but even i reverted the changes in the code also still its not allowing to commit.

#!/bin/bash

#
# ⚠ USE WITH CAUTION ⚠
#
# Pre-receive hook that will block any new commits that contain passwords,
# tokens, or other confidential information matched by regex
#
# More details on pre-receive hooks and how to apply them can be found on
# https://git.io/fNLf0
#

# ------------------------------------------------------------------------------
# Variables
# ------------------------------------------------------------------------------
# Count of issues found in parsing
found=0

# Define list of REGEX to be searched and blocked
regex_list=(
# block any private key file
'(\-){5}BEGIN\s?(RSA|OPENSSH|DSA|EC|PGP)?\s?PRIVATE KEY\s?(BLOCK)?(\-){5}.*'
# block AWS API Keys
'AKIA[0-9A-Z]{16}'
# block AWS Secret Access Key (TODO: adjust to not find validd Git SHA1s; false positives)
# '([^A-Za-z0-9/+=])?([A-Za-z0-9/+=]{40})([^A-Za-z0-9/+=])?'
# block confidential content
'CONFIDENTIAL'
)

# Concatenate regex_list
separator="|"
regex="$( printf "${separator}%s" "${regex_list[@]}" )"
# remove leading separator
regex="${regex:${#separator}}"

# Commit sha with all zeros
zero_commit='0000000000000000000000000000000000000000'

# ------------------------------------------------------------------------------
# Pre-receive hook
# ------------------------------------------------------------------------------
while read oldrev newrev refname; do
# # Debug payload
# echo -e "${oldrev} ${newrev} ${refname}\n"

# ----------------------------------------------------------------------------
# Get the list of all the commits
# ----------------------------------------------------------------------------

# Check if a zero sha
if [ "${oldrev}" = "${zero_commit}" ]; then
# List everything reachable from newrev but not any heads
span=`git rev-list $(git for-each-ref --format='%(refname)' refs/heads/* | sed 's/^/\^/') ${newrev}`
else
span=`git rev-list ${oldrev}..${newrev}`
fi

# ----------------------------------------------------------------------------
# Iterate over all commits in the push
# ----------------------------------------------------------------------------
for sha1 in ${span}; do
# Use extended regex to search for a match
match=`git diff-tree -r -p --no-color --no-commit-id --diff-filter=d ${sha1} | grep -nE "(${regex})"`

# Verify its not empty
if [ "${match}" != "" ]; then
# # Debug match
# echo -e "${match}\n"

found=$((${found} + 1))
fi
done
done

# ------------------------------------------------------------------------------
# Verify count of found errors
# ------------------------------------------------------------------------------
if [ ${found} -gt 0 ]; then
# Found errors, exit with error
echo "[POLICY BLOCKED] You're trying to commit a password, token, or confidential information"
exit 1
else
# No errors found, exit with success
exit 0
fi