--- title: How Not To: security/secrets/git tags: [security, secrets, git] confessions: 1 updated: 2026-02-01T14:50:26.263Z --- # Security/Secrets/Git: How Not To When managing sensitive data like API keys and secrets in your source code, it's crucial to follow best practices to protect your applications and your users. Here are common pitfalls to avoid. ## Common Pitfalls - **Hardcoding Secrets**: Placing API keys and other sensitive information directly in the source code. - **Committing Secrets to Repositories**: Accidentally pushing code with unmasked secrets to public or shared repositories. - **Ignoring `.gitignore`**: Forgetting to list files containing secrets (e.g., configuration files) in your `.gitignore`. - **Using Plaintext Configurations**: Storing sensitive configurations in plaintext config files without adequate protections. - **Neglecting Access Controls**: Failing to restrict access to repositories and server environments where secrets are stored. ## Do Instead - **Use Environment Variables**: Store sensitive data in environment variables and access them in your application using a secure method. ```bash export API_KEY='your_api_key_here' ``` - **Utilize Secret Management Tools**: Leverage tools like AWS Secrets Manager, HashiCorp Vault, or Azure Key Vault designed for secure storage and management of secrets. - **Implement `.gitignore`**: Always add files containing sensitive information to your `.gitignore` to prevent accidental commits. - **Use Encrypted Configurations**: If configuration files must be included, encrypt them and store decryption credentials securely, separate from the code. - **Establish Access Policies**: Control who can access your repositories and environments. Limit permissions to only those who need it. - **Regularly Audit Your Code**: Conduct periodic code reviews and use tools to scan for hardcoded secrets (e.g., GitGuardian, TruffleHog) to catch potential leaks early. By following these guidelines, you can help secure your applications and maintain the integrity of your development processes.