Prevent Credential Leaks w/ Git Hooks

Introducing git-find, a cli tool to scan and prevent credential leaks. A replacement of AWS Git Secrets
git
rust
cli tools
Published

November 22, 2025

Modified

November 23, 2025

Overview

I made a cli tool in rust that sets up pre-commit hooks and prevents credentials from being leaked in a repo. There are many tools like it, but I haven’t found any that can set up automated credential updates as easily. If there are tools out there that have that capability, please let me know! I think my tool is useful if you need to set up pre-commit hooks for beginner git users, but am open to learning about other tools.

https://github.com/edenian-prince/rust-secrets

Comparison to AWS Git Secrets

git-secrets doesn’t work like I expect out of the box

After installing git-secrets and git-find, we can see that out of the box git-secrets doesn’t apply git hooks globally to existing repos. I have to manually adjust that on my own. That could be a good thing for experienced users that want local hooks first, but when we’re setting up hooks for new git users where the main concern is security leaks, we just want to apply the hooks to ALL of their repositories and not worry about them needing to potentially adjust their git settings.

and to note, with git-secrets I added the provider like this:

git secrets --add-provider --global -- cat ./secrets_key

with git-find it’s just

git-find add-provider --path /path/to/secrets.txt


git-find can auto update the secret provider

With git-secrets I had to remind my teammates to manually update their regex provider files every time there was a new addition. For example, our team would add a new server to our workflow and we would need to add a regex to the provider list in order to prevent that server name from being accidentally hardcoded into the git repo.

This is a huge pain and a security risk to rely on asking git newbies to update their hook files. git-find does all of this automatically under the hood, and it lets you store your secrets file in a centralized location to ensure all of the team has access to the exact same hooks and recieve updates automatically.

Under the hood, when you add a provider:

git-find add-provider --path /path/to/secrets.txt

It will prompt the user to set up auto updates if the provider is in a local git repo. If the user inputs Yes, it will run git pull /secrets/repo/ to pull the latest updates whenever the user runs git commit, ensuring that they have the latest security updates

history scanning

This is still a work in progress. Eventually I want to make a script that puts the secret scan results in a dataframe where the user can easily parse for any security leaks in a repo.

In the past I had some issues with git-secrets scanning tools. Not sure why, but it would take forever to scan big repos I think git-find has it sorted out, but it obviously doesn’t look faster here. I will continue to test and update this.