whatisgithub

What is git-secrets?

awslabs/git-secrets — explained in plain English

Analysis updated 2026-06-24

13,303ShellAudience · developerComplexity · 2/5Setup · easy

In one sentence

A tool from AWS Labs that blocks you from accidentally committing passwords or AWS credentials to git by scanning each commit before it is saved.

Mindmap

mindmap
  root((repo))
    What it does
      Block secret commits
      Pre-commit hook scan
      AWS credential patterns
    Installation
      Homebrew on macOS
      Makefile on Linux
      PowerShell on Windows
    Features
      Custom patterns
      Allowlist for test keys
      Full history scan
      Global template
    Use Cases
      AWS key protection
      Pre-public repo audit
      Team-wide enforcement
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Prevent AWS access keys, secret access keys, and account IDs from being committed to any git repository.

USE CASE 2

Scan a repository's full commit history before making it public to check for any previously leaked credentials.

USE CASE 3

Add your own custom regex patterns to block company-specific secrets like database passwords or internal API tokens.

USE CASE 4

Configure a global git template so every new repository you create or clone automatically gets secret-scanning hooks.

What is it built with?

ShellGit hooksHomebrew

How does it compare?

awslabs/git-secretspowerlevel9k/powerlevel9khq450/fancyss
Stars13,30313,42413,541
LanguageShellShellShell
Setup difficultyeasymoderatemoderate
Complexity2/52/53/5
Audiencedeveloperdevelopergeneral

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Must be initialized separately inside each repository you want to protect, this per-repo setup step is easy to overlook.

So what is it?

git-secrets is a command-line tool from AWS Labs that prevents passwords and other sensitive values from being committed to a git repository. It works by installing hooks directly into a git repository so that each commit, commit message, and certain merges are checked against a set of forbidden patterns before they are accepted. If anything matches, the commit is blocked and the offending text is reported. After installing the program on your system (via Homebrew on macOS, a Makefile on Linux, or a PowerShell script on Windows), you must run a separate setup command inside each repository you want protected. The README highlights this as a step people frequently overlook. The hooks it installs cover three points in the commit process: just before the commit is made, when the commit message is written, and when a merge brings in new history. Because git-secrets was built at AWS, it includes a ready-made set of patterns for Amazon Web Services credentials. A single command registers checks for AWS access key IDs, secret access keys, account IDs, and Bedrock API keys, and it also reads the actual credential values stored in your local AWS credentials file so those specific keys are blocked too. The documentation notes that these patterns catch most instances of AWS credentials but not all, and treats the tool as an extra layer of protection rather than a complete guarantee. You can also add your own patterns, either as regular expressions you write by hand or by pointing git-secrets at a custom program that outputs a list of patterns. Patterns you trust can be explicitly allowed to avoid false alarms on example keys or test values. For repositories that are being prepared to go public, git-secrets can scan the full commit history, not just the most recent changes. You can also configure a global template so that every new repository you create or clone automatically gets the hooks installed.

Copy-paste prompts

Prompt 1
I just installed git-secrets. Walk me through setting it up in my existing Python project repo to block AWS credentials and any personal API tokens I specify.
Prompt 2
How do I use git-secrets to scan the entire commit history of my repo before I make it public on GitHub?
Prompt 3
I want git-secrets to run automatically on every new git repo I create or clone. How do I set up the global git template?
Prompt 4
Add a custom git-secrets pattern to block any string matching the format MYCO-[A-Z0-9]{32} from being committed.

Frequently asked questions

What is git-secrets?

A tool from AWS Labs that blocks you from accidentally committing passwords or AWS credentials to git by scanning each commit before it is saved.

What language is git-secrets written in?

Mainly Shell. The stack also includes Shell, Git hooks, Homebrew.

How hard is git-secrets to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is git-secrets for?

Mainly developer.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.