Detecting security keys

You should never store security keys in a version-control system. Cloud Source Repositories can help you prevent users from storing security keys in a Google Cloud repository. Cloud Source Repositories can check for the following types of security keys:

  • Google Cloud service account credentials (JSON format)
  • PEM-encoded private keys (including RSA, DSA, and PGP)

This checking feature is available for all repositories at no charge.

How the security-key checking feature works

When a user executes a git push command, the checking feature looks for data that might be a security key. If a match is found, the feature blocks the git push and notifies users what was found and where. For example:

The push has been rejected because we detect that it contains a private key.
Please check the following commands and confirm that it's intentional:

git show [COMMIT]

You can use `git rev-list --objects --all` to find the files.

To push these files, please run `git push -o nokeycheck`.

Before you begin

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Disable security key detection

To disable security key detection, use the following gcloud command:

    gcloud init
    gcloud source project-configs update --disable-pushblock

Enable security key detection

To enable private key detection, use the following gcloud command:

    gcloud init
    gcloud source project-configs update --enable-pushblock

Override security key detection

To override the security key detection feature, use the following git command:

    git push -o nokeycheck

What's next

After you set up a Google Cloud repository, you might find the following topics helpful: