git-secrets is a command-line tool developed by AWS Labs that prevents developers from accidentally committing passwords, API keys, and other sensitive credentials into git repositories. Written primarily in Shell, the tool integrates directly with git's hook system to scan commits before they are finalized, blocking any changes that match configured patterns for secrets.
The core functionality revolves around pattern matching using regular expressions. When a commit is attempted, git-secrets scans the commit contents, commit messages, and non-fast-forward merge histories against a set of prohibited patterns. If a match is found, the commit is rejected and the matched text is reported to the developer. The tool supports multiple scanning modes including scanning individual files, directories recursively, the entire repository history, cached files in the git index, untracked files, and content from stdin.
Installation varies by platform. On Unix-like systems including Linux and macOS, users can place the tool in their PATH or use Homebrew for macOS. Windows users run a provided PowerShell installation script that copies necessary files to a default directory and updates the system PATH. Once installed, developers run the install command to set up git hooks for specific repositories, after which secret scanning happens automatically on commit attempts.
The tool provides specialized support for AWS credentials through the register-aws command, which adds pattern detection for AWS Access Key IDs, Secret Access Keys, account IDs, Amazon Bedrock API keys, and credentials stored in the standard AWS credentials file at ~/.aws/credentials. The patterns detect both long-lived and short-lived credentials, and the tool includes allowlisting for example AWS keys to prevent false positives. However, the documentation explicitly notes that these patterns are not guaranteed to catch all instances of AWS credentials, positioning git-secrets as an additional layer of security rather than a complete solution.
Beyond built-in patterns, git-secrets supports custom secret providers through the add-provider command, allowing organizations to register executable commands that output additional prohibited patterns. This extensibility enables integration with organization-specific secret detection logic. Users can also manually add custom prohibited or allowed patterns, with options to treat patterns as literal strings rather than regular expressions.
According to GitGenius activity tracking, the repository shows relatively slow issue and pull request response latency, with a median response time of approximately 5021.7 hours and a mean of 9494.5 hours across nine tracked items. The most active contributors tracked include LurkAndLoiter, alvincrespo, and cbarreholm, each with two recorded events. The repository shares contributors with major projects including Microsoft's VSCode and TypeScript implementations, as well as the Rust language project, indicating its use within significant development ecosystems.
The tool is classified across numerous security and development workflow categories including codebase protection, pre-commit hooks, sensitive data filtering, credentials scanning, compliance tooling, and security auditing. This broad classification reflects its role as a foundational security enforcement mechanism for development teams seeking to prevent credential leaks at the point of commit.