Reputation: 5583
GitHub public repo with sensitive information?
I'm developing a Python script but I need to include my public and secret Twitter API key for it to work. I'd like to make my project public but keep the sensitive information secret using Git and GitHub. Though I highly doubt this is possible, is there any way to block out that data in a GitHub public repo?
Upvotes: 0
Views: 1942
Answers (5)
Reputation: 125
You could store your api key and secret in a config file, such as config.py, then add that file to your .gitignore file, so that it doesn't get stored in your repo.
Inside your store config.py your key and secret:
api_key = "TWITTER_KEY"`
api_secret = "TWITTER_SECRET"
Inside of your existing python file:
...
connection = twitter_connection(config.api_key, config.api_secret)```
Add `config.py` to your `.gitignore` file:
`config.py`
Upvotes: 3
Reputation: 225281
Split them out into a configuration file that you don’t include, or replace them with placeholders and don’t commit the actual values, using git add -p. The first option is better.
The configuration file could consist of a basic .py file credentials.py in which you define the needed private credentials in any structure you consider best. (a dictionary would probably be the most suitable).
You can use the sensitive information by importing the structure in this file and accessing the contents. Others users using the code you have created should be advised to do so too.
The hiding of this content is eventually performed with your .gitignore file. In it, you simply add the filename in order to exclude it from being uploaded to your repository.
Upvotes: 7
Reputation: 3704
You can have a look at blackbox for storing sensitive information in your VCS (git/hg/p4/svn).
Suppose you have a VCS repository (i.e. a Git or Mercurial repo) and certain files contain secrets such as passwords or SSL private keys. Often people just store such files "and hope that nobody finds them in the repo". That's not safe.
With BlackBox, those files are stored encrypted using GPG. Access to the VCS repo without also having the right GPG keys makes it worthless to have the files. As long as you keep your GPG keys safe, you don't have to worry about storing your VCS repo on an untrusted server. Heck, even if you trust your server, now you don't have to trust the people that do backups of that server, or the people that handle the backup tapes!
Upvotes: 0
Reputation: 1529
The twitter API keys are usually held in a JSON file. So when your uploading your repository you can modify the .gitignore file to hide the .json files. What this does is it will not upload those files to the git repository.
Your other option is obviously going for private repositories which will not be the solution in this case.
Upvotes: 1
Reputation: 38010
No. Instead, load the secret information from a file and add that file to .gitignore so that it will not be a part of the repository.
Upvotes: 5
Related Questions
- Security Concerns with Private Repos in GitHub
- GitHub security issue in a repository
- How do you handle sensitive data in a public git repo?
- Dealing with secrets and source control
- What is the proper way to share a program without sharing personal information?
- Private and public Git repositories with sensitive data
- Git security - private information in previous commits
- Using github with secret keys
- Protecting sensitive information in Git
- Github Security - Public Project