Key Takeaways

  • The .gitignore file: The most important file in your project. Ensure `.env`, `*.key`, and `node_modules` are in here.
  • Secret Scanning: Use tools like Trivy or GitGuardian to scan your code BEFORE you push it.
  • Signed Commits: Use a GPG key to sign your commits. This proves "You" wrote the code, not someone impersonating you.

Uber was hacked because a contractor had admin credentials hard-coded in a Powershell script. All it takes is one bad commit.

Preventing Leaks

1. Never hardcode secrets. Use Environment Variables (`process.env.API_KEY`).
2. Use Pre-commit hooks. Install `husky` or `talisman` to automatically check your code for secrets every time you type `git commit`.

Cleaning up a Mess

If you accidentally commit a password, IT IS COMPROMISED FOREVER. Even if you delete it in the next commit, it remains in the Git History. You must:
1. Revoke/Rotate the key immediately.
2. Use `git filter-repo` to rewrite history and remove the file from all past commits (difficult and dangerous).

Branch Protection Rules

On GitHub, enable "Branch Protection" for `main`. Require at least 1 Pull Request Review before merging. This prevents junior developers (or tired senior developers) from breaking production.

Frequently Asked Questions (FAQ)

What is "Code Owners"?
A file (`CODEOWNERS`) that defines who is responsible for which folders. It automatically requests their review when files in their area are changed.
Are Private Repos safe?
Safer, but not safe. If an employee's laptop is stolen, the private code is exposed. Always treat code as if it were public.

Automate your security with Python.
Read Python Guide