Prevent sensitive data & credentials being committed


I've had to add sensitive data (database connection details, API keys etc) to files that can't be added to .gitignore many times. I do this by committing the file with variable placeholders...

$secret = 'XXXXXXXXXX';

...then use the following command to ignore my future changes:

git update-index --assume-unchanged /path/to/file

If I need to make a change to this file in the future, I can remove my credentials, use placeholders as above, and issue the following command to have changes tracked again:

git update-index --no-assume-unchanged /path/to/file

3 Responses
Add your response

Photo on 08.01.2013 at 04.15

It's only time when someone someone forgets assume-unchanged and commits his passwords. It should be probably used with some sort of init script or git's smudge and clean filters.

*.example files are the safest option I know so far.

over 1 year ago ·

Also .gitignore + *.example files are better for contributors. Lot of people do not know about --assume-unchanged.

But perfect for private repos! Thanks!

over 1 year ago ·

I bashed my head the whole day yesterday between .gitignore and .gitattributes, only to find --assume-unchaged here. Thank you!

over 1 year ago ·