Detecting security keys

You should never store security keys in a version control system. Google Cloud Source Repositories can help you prevent users from storing security keys in a Google Cloud Platform repository. Enable this feature to have Google Cloud Source Repositories check for the following types of security keys:

  • Google Cloud Platform service account credentials (JSON format)
  • PEM-encoded private keys (including RSA, DSA, and PGP)

This feature is available on all repositories for no charge.

Overview

When a user executes a git push command, this feature looks for data that might be a security key. If a match is found, the feature blocks the git command and notifies users what was found and where. For example:

The push has been rejected because we detect that it contains a private
key. Please check the following commands and confirm that it's
intentional:

git show [COMMIT]

You can use `git rev-list --objects --all` to find the files.

To push these files, please run `git push -o nokeycheck`.

Before you begin

Select or create a GCP project.

Go to the Manage resources page

Enabling security key detection

To enable private key detection, use the following gcloud command:

    gcloud init
    gcloud beta source project-configs update --enable-pushblock

Disabling security key detection

To disable security key detection, use the following gcloud command:

    gcloud init
    gcloud beta source project-configs update --disable-pushblock

Overriding security key detection

To override the security key detection feature, use the following git command:

    git push -o nokeycheck

What's next

After you have set up a GCP repository, you might find the following topics helpful:

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Source Repositories