Avoid commit and push sensative infomation
What are best practices for securely storing sensitive strings or secrets within a project
to prevent them from being committed to a GitHub repository by version control systems?
12 Replies
*
dotnet new gitignore
* User secrets instead of appsettings for secrets during dev
* Azure KeyVault/AWS SecretManager/k8s secrets or similar for productionSafe storage of app secrets in development in ASP.NET Core
Learn how to store and retrieve sensitive information during the development of an ASP.NET Core app.
GitHub
detect-secrets Action - GitHub Marketplace
Scans your GitHub repository for accidentally committed secrets, enhances code security, and aids in secret cleanup
We use something similar, except it's for Azure Dev Ops repos.
And I've accidentally committed secrets before we had it in place.
:catshy:
discord has something that scans all github repos for bot tokens. I accidentally pushed one and it was immediately invalidated and I got a message here on discord about it 🙂
wow, this was something I have been searching for. Thanks mate:)
yw
haha, yeah I just commited accidentally jwt secret key to a public repository.
that is why I'm looking for a way to avoid it in the future😂
regenerate and remove 🙂
Having the code read secrets from environment variables instead of config files or the like is a good way to help avoid that.
yeah that is true
Or just having config files outside of the repo
I myself just put some placeholder values in app settings (just to portray config structure) but actual configs are stored in the .env file on my server (my projects are deployed with docker-compose)