You should never store security keys in a version control system. Google Cloud Source Repositories can help you prevent users from storing security keys in a Google Cloud Platform repository. Enable this feature to have Google Cloud Source Repositories check for the following types of security keys:
- Google Cloud Platform service account credentials (JSON format)
- PEM-encoded private keys (including RSA, DSA, and PGP)
This feature is available on all repositories for no charge.
When a user executes a
git push command, this feature looks for data that
might be a security key. If a match is found, the feature blocks the
command and notifies users what was found and where. For example:
The push has been rejected because we detect that it contains a private key. Please check the following commands and confirm that it's intentional: git show [COMMIT] You can use `git rev-list --objects --all` to find the files. To push these files, please run `git push -o nokeycheck`.
Before you begin
Select or create a GCP project.
Enabling security key detection
To enable private key detection, use the following
gcloud init gcloud source project-configs update --enable-pushblock
Disabling security key detection
To disable security key detection, use the following
gcloud init gcloud source project-configs update --disable-pushblock
Overriding security key detection
To override the security key detection feature, use the following
git push -o nokeycheck
After you have set up a GCP repository, you might find the following topics helpful: