Avoid leaking secrets in git history #335
Replies: 2 comments 1 reply
-
|
I had exact same question. It's going to happen for sure. I see https://github.com/entireio/cli/blob/main/redact/redact.go so at least there's an inbuilt mechanism. |
Beta Was this translation helpful? Give feedback.
-
|
tl;dr: There is a builtin mechanism that uses gitleaks to redact transcripts. We launched with simple entropy-threshold-based redactions but added gitleaks in v0.4.3. All transcripts that are stored in the checkpoints branch run through the code that @markwharton linked to. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the note @georg! Also, on setting up entire, I noticed my .claude/settings.local.json depends on a global gitignore rule from Claude Code's setup (https://code.claude.com/docs/en/settings#settings-files). It shouldn't be a problem, but I added .claude/settings.local.json to our project's .gitignore to be safe. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi there.
Read the documentation site and didn't see any specifics regarding secrets from agent sessions getting uploaded to git history.
Oftentimes since Claude has access to the whole repo including gitignored files (.env, certs, etc), they'll get written to stdout locally.
This would be an issue if the transcript got committed without those secrets being redacted a la GitHub Actions.
Are there any builtin mechanisms to avoid leaking secrets or do you just recommend using something like gitleaks et al via pre-commit hooks? If it's the latter, I could imagine a lot of blocked commits on a regular basis.
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions