Secrets such as credential files, SSH private keys, and other files containing secrets should never be committed to source control.
Secrets, such as credential files and SSH private keys, should never be committed to a version control
GitLab enables you to turn on a predefined denylist of files which can't be
system. In GitLab, you can use a predefined list of files to block those files from a
pushed to a repository. The list stops those commits from reaching the remote repository.
repository. Any merge request containing a file matching the list is blocked from being merged.
Files already committed to the repository are not restricted by this push rule.
By selecting the checkbox *Prevent pushing secret files*, GitLab prevents
pushes to the repository when a file matches a regular expression as read from
Files blocked by this rule are listed below. For a complete list of criteria, see
[`files_denylist.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/gitlab/checks/files_denylist.yml)(make sure you are at the right branch
as your GitLab version when viewing this file). This checkbox is able to be set globally via **Admin Area > Push Rules**, or per-project via **Settings > Repository > Push Rules**.
- AWS CLI credential blobs:
NOTE:
Files already committed aren't restricted by this push rule.
-`.aws/credentials`
-`aws/credentials`
Below is an example list of what GitLab rejects with these regular expressions:
-`homefolder/aws/credentials`
```shell
- Private RSA SSH keys:
#####################
# AWS CLI credential blobs
-`/ssh/id_rsa`
#####################
-`/.ssh/personal_rsa`
.aws/credentials
-`/config/server_rsa`
aws/credentials
-`id_rsa`
homefolder/aws/credentials
-`.id_rsa`
#####################
- Private DSA SSH keys:
# Private RSA SSH keys
#####################
-`/ssh/id_dsa`
/ssh/id_rsa
-`/.ssh/personal_dsa`
/.ssh/personal_rsa
-`/config/server_dsa`
/config/server_rsa
-`id_dsa`
id_rsa
-`.id_dsa`
.id_rsa
- Private ed25519 SSH keys:
#####################
# Private DSA SSH keys
-`/ssh/id_ed25519`
#####################
-`/.ssh/personal_ed25519`
/ssh/id_dsa
-`/config/server_ed25519`
/.ssh/personal_dsa
-`id_ed25519`
/config/server_dsa
-`.id_ed25519`
id_dsa
.id_dsa
- Private ECDSA SSH keys:
#####################
-`/ssh/id_ecdsa`
# Private ed25519 SSH keys
-`/.ssh/personal_ecdsa`
#####################
-`/config/server_ecdsa`
/ssh/id_ed25519
-`id_ecdsa`
/.ssh/personal_ed25519
-`.id_ecdsa`
/config/server_ed25519
id_ed25519
- Any files ending with these suffixes:
.id_ed25519
-`*.pem`
#####################
-`*.key`
# Private ECDSA SSH keys
-`*.history`
#####################
-`*_history`
/ssh/id_ecdsa
/.ssh/personal_ecdsa
### Prevent pushing secrets to all projects
/config/server_ecdsa
id_ecdsa
To set a global push rule to prevent pushing secrets to all projects:
.id_ecdsa
1. On the top bar, select **Menu > Admin**.
#####################
1. On the left sidebar, select **Push Rules**.
# Any file with .pem or .key extensions
1. Expand **Push rules**.
#####################
1. Select **Prevent pushing secret files**.
*.pem
1. Select **Save push rules**.
*.key
### Prevent pushing secrets to a project
#####################
# Any file ending with _history or .history extension
The push rule of a project overrides the global push rule.
#####################
*.history
To prevent pushing secrets to a project:
*_history
```
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Settings > Repository**.
