Avoid leaking secrets in git history #335
-
|
Hi there. Read the documentation site and didn't see any specifics regarding secrets from agent sessions getting uploaded to git history. Oftentimes since Claude has access to the whole repo including gitignored files (.env, certs, etc), they'll get written to stdout locally. This would be an issue if the transcript got committed without those secrets being redacted a la GitHub Actions. Are there any builtin mechanisms to avoid leaking secrets or do you just recommend using something like gitleaks et al via pre-commit hooks? If it's the latter, I could imagine a lot of blocked commits on a regular basis. Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 2 replies
-
|
I had exact same question. It's going to happen for sure. I see https://github.com/entireio/cli/blob/main/redact/redact.go so at least there's an inbuilt mechanism. |
Beta Was this translation helpful? Give feedback.
-
|
tl;dr: There is a builtin mechanism that uses gitleaks to redact transcripts. We launched with simple entropy-threshold-based redactions but added gitleaks in v0.4.3. All transcripts that are stored in the checkpoints branch run through the code that @markwharton linked to. |
Beta Was this translation helpful? Give feedback.
-
|
This discussion has been migrated to issue #375. Please continue the conversation there. |
Beta Was this translation helpful? Give feedback.
-
|
This discussion has been migrated to #375 and is now locked. Please use Issues for all new conversations going forward. |
Beta Was this translation helpful? Give feedback.
tl;dr: There is a builtin mechanism that uses gitleaks to redact transcripts.
We launched with simple entropy-threshold-based redactions but added gitleaks in v0.4.3. All transcripts that are stored in the checkpoints branch run through the code that @markwharton linked to.