You should never store security keys in a version-control system. Cloud Source Repositories can help you prevent users from storing security keys in a Google Cloud Platform (GCP) repository. Cloud Source Repositories can be set up to check for the following types of security keys:
- GCP service account credentials (JSON format)
- PEM-encoded private keys (including RSA, DSA, and PGP)
This checking feature is available for all repositories at no charge.
How the security-key checking feature works
When a user executes a
git push command, the checking feature looks for data
that might be a security key. If a match is found, the feature blocks the
push and notifies users what was found and where. For example:
The push has been rejected because we detect that it contains a private key. Please check the following commands and confirm that it's intentional: git show [COMMIT] You can use `git rev-list --objects --all` to find the files. To push these files, please run `git push -o nokeycheck`.
Before you begin
Select or create a GCP project.
Enable security key detection
To enable private key detection, use the following
gcloud init gcloud source project-configs update --enable-pushblock
Disable security key detection
To disable security key detection, use the following
gcloud init gcloud source project-configs update --disable-pushblock
Override security key detection
To override the security key detection feature, use the following
git push -o nokeycheck
After you set up a GCP repository, you might find the following topics helpful: