You should never store security keys in a version-control system. Cloud Source Repositories can help you prevent users from storing security keys in a Google Cloud repository. Cloud Source Repositories can check for the following types of security keys:
- Google Cloud service account credentials (JSON format)
- PEM-encoded private keys (including RSA, DSA, and PGP)
This checking feature is available for all repositories at no charge.
How the security-key checking feature works
When a user executes a git push command, the checking feature looks for data
that might be a security key. If a match is found, the feature blocks the git
push and notifies users what was found and where. For example:
The push has been rejected because we detect that it contains a private key. Please check the following commands and confirm that it's intentional: git show [COMMIT] You can use `git rev-list --objects --all` to find the files. To push these files, please run `git push -o nokeycheck`.
Before you begin
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
Disable security key detection
To disable security key detection, use the following gcloud command:
gcloud init
gcloud source project-configs update --disable-pushblock
Enable security key detection
To enable private key detection, use the following gcloud command:
gcloud init
gcloud source project-configs update --enable-pushblock
Override security key detection
To override the security key detection feature, use the following git
command:
git push -o nokeycheck
What's next
After you set up a Google Cloud repository, you might find the following topics helpful: