How Can We Prevent Accidental Commit of AWS Credentials?

You might want to check out Snyk. It can fail builds if secrets are detected, ensuring that no one pushes code that has those credentials. Also, consider rotating your credentials frequently and training your team on best practices for handling sensitive information.

Implementing a pre-receive hook worked well in my company for detecting issues right before the commit is accepted. While it may cause some false positives, it’s a good solution if set up properly. Also, regularly educate your team on secret management to improve compliance.

First off, it’s crucial to ask why you have secrets in your code at all. Ideally, you should be using services like Secrets Manager or Parameter Store to keep your secrets out of the code base entirely. If you’re constantly committing secrets, you might need to reconsider your workflow and hiring decisions in your team.

For prevention, integrate tools like TruffleHog or GitLeaks into your pre-commit hooks. They can scan your codebase for secrets before they're committed. Additionally, if you're using GitHub, enable advanced security features to catch these issues pre-commit. Just remember, the ultimate fix is to not have these secrets in the code at all.

Consider using roles instead of managing user credentials. This approach avoids the hassle of having hardcoded credentials. Even if you’re moving to IAM roles, be sure to cover the gaps in your legacy systems while transitioning.